Add @signedGraphTag() and @signedGraphUrl() blade directives (#14269)

* More secure external graph access
Add @signedGraphTag() and @signedGraphUrl() blade directives
Takes either an array of graph variables or a url to a graph
Uses a signed url that is accessible without user login, embeds signature in url to authenticate access
See Laravel Signed Url for more details.
Adds Laravel route to graphs (does not change links to use it yet)
@graphImage requires the other PR
Also APP_URL is required in .env

* missing files from rebase

* Fix url parsing with a get string

* allow width and height to be omitted

* Documentation

* Add to, otherwise it will always be now

* Doc note for to and from relative security

* fix vars.inc.php (Laravel has a dummy url here)

includes/html/graphs/graph.inc.php

@@ -4,11 +4,6 @@ use LibreNMS\Config;
 
 global $debug;
 
-// Push $_GET into $vars to be compatible with web interface naming
-foreach ($_GET as $name => $value) {
-    $vars[$name] = $value;
-}
-
 [$type, $subtype] = extract_graph_type($vars['type']);
 
 if (isset($vars['device'])) {
@@ -18,14 +13,14 @@ if (isset($vars['device'])) {
 }
 
 // FIXME -- remove these
-$width = $vars['width'];
-$height = $vars['height'];
+$width = $vars['width'] ?? 400;
+$height = $vars['height'] ?? round($width / 3);
 $title = $vars['title'] ?? '';
 $vertical = $vars['vertical'] ?? '';
 $legend = $vars['legend'] ?? false;
 $output = (! empty($vars['output']) ? $vars['output'] : 'default');
-$from = empty($_GET['from']) ? Config::get('time.day') : parse_at_time($_GET['from']);
-$to = empty($_GET['to']) ? Config::get('time.now') : parse_at_time($_GET['to']);
+$from = empty($vars['from']) ? Config::get('time.day') : parse_at_time($vars['from']);
+$to = empty($vars['to']) ? Config::get('time.now') : parse_at_time($vars['to']);
 $period = ($to - $from);
 $prev_from = ($from - $period);
 
@@ -113,6 +108,10 @@ try {
         echo $output === 'base64' ? base64_encode($image_data) : $image_data;
     }
 } catch (\LibreNMS\Exceptions\RrdGraphException $e) {
+    if (\LibreNMS\Util\Debug::isEnabled()) {
+        throw $e;
+    }
+
     if (isset($rrd_filename) && ! Rrd::checkRrdExists($rrd_filename)) {
         graph_error($width < 200 ? 'No Data' : 'No Data file ' . basename($rrd_filename));
     } else {

includes/html/vars.inc.php

@@ -1,46 +1,6 @@
 <?php
 
-use LibreNMS\Config;
-
-foreach ($_GET as $key => $get_var) {
-    if (strstr($key, 'opt')) {
-        [$name, $value] = explode('|', $get_var);
-        if (! isset($value)) {
-            $value = 'yes';
-        }
-
-        $vars[$name] = strip_tags($value);
-    }
-}
-
-$base_url = parse_url(Config::get('base_url'));
-$uri = explode('?', $_SERVER['REQUEST_URI'], 2)[0] ?? ''; // remove query, that is handled below with $_GET
-
-// don't parse the subdirectory, if there is one in the path
-if (isset($base_url['path']) && strlen($base_url['path']) > 1) {
-    $segments = explode('/', trim(str_replace($base_url['path'], '', $uri), '/'));
-} else {
-    $segments = explode('/', trim($uri, '/'));
-}
-
-foreach ($segments as $pos => $segment) {
-    $segment = urldecode($segment);
-    if ($pos === 0) {
-        $vars['page'] = $segment;
-    } else {
-        [$name, $value] = array_pad(explode('=', $segment), 2, null);
-        if (! $value) {
-            if ($vars['page'] == 'device' && $pos < 3) {
-                // translate laravel device routes properly
-                $vars[$pos === 1 ? 'device' : 'tab'] = $name;
-            } else {
-                $vars[$name] = 'yes';
-            }
-        } else {
-            $vars[$name] = $value;
-        }
-    }
-}
+$vars = \LibreNMS\Util\Url::parseLegacyPathVars($_SERVER['REQUEST_URI']);
 
 foreach ($_GET as $name => $value) {
     $vars[$name] = strip_tags($value);