From 9faae11381f148221e12cafef31ea79351a96d7f Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Fri, 31 May 2019 07:43:12 -0500
Subject: [PATCH] Sanitize graph input (#10276)

Could execute arbitrary rrdtool commands such as cd and ls.
---
 LibreNMS/Util/Clean.php             | 22 ++++++++++++++++++++++
 includes/html/graphs/common.inc.php | 16 +++++++++-------
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/LibreNMS/Util/Clean.php b/LibreNMS/Util/Clean.php
index f82bb4481d..0b84cb167a 100644
--- a/LibreNMS/Util/Clean.php
+++ b/LibreNMS/Util/Clean.php
@@ -43,6 +43,28 @@ class Clean
         return preg_replace('/[^a-zA-Z0-9\-._]/', '', $file);
     }
 
+    /**
+     * Sanitize string to only contain alpha, numeric, dashes, and underscores
+     *
+     * @param string $string
+     * @return string
+     */
+    public static function alphaDash($string)
+    {
+        return preg_replace('/[^a-zA-Z0-9\-_]/', '', $string);
+    }
+
+    /**
+     * Sanitize string to only contain alpha, numeric, dashes, underscores, and spaces
+     *
+     * @param string $string
+     * @return string
+     */
+    public static function alphaDashSpace($string)
+    {
+        return preg_replace('/[^a-zA-Z0-9\-_ ]/', '', $string);
+    }
+
     /**
      * Clean a string for display in an html page.
      * For use in non-blade pages
diff --git a/includes/html/graphs/common.inc.php b/includes/html/graphs/common.inc.php
index 9791e9c387..0c8f447b2a 100644
--- a/includes/html/graphs/common.inc.php
+++ b/includes/html/graphs/common.inc.php
@@ -1,15 +1,17 @@
 <?php
 
+use LibreNMS\Util\Clean;
+
 if ($_GET['from']) {
-    $from = mres($_GET['from']);
+    $from = (int)$_GET['from'];
 }
 
 if ($_GET['to']) {
-    $to = mres($_GET['to']);
+    $to = (int)$_GET['to'];
 }
 
 if ($_GET['width']) {
-    $width = mres($vars['width']);
+    $width = (int)$_GET['width'];
 }
 
 if ($config['trim_tobias']) {
@@ -17,7 +19,7 @@ if ($config['trim_tobias']) {
 }
 
 if ($_GET['height']) {
-    $height = mres($vars['height']);
+    $height = (int)$_GET['height'];
 }
 
 if ($_GET['inverse']) {
@@ -56,7 +58,7 @@ if ($_GET['title'] == 'yes') {
 }
 
 if (isset($_GET['graph_title'])) {
-    $rrd_options .= " --title='".$_GET['graph_title']."' ";
+    $rrd_options .= " --title='" . Clean::alphaDashSpace($_GET['graph_title']) . "' ";
 }
 
 if (!isset($scale_min) && !isset($scale_max)) {
@@ -83,11 +85,11 @@ $rrd_options .= ' -E --start '.$from.' --end '.$to.' --width '.$width.' --height
 $rrd_options .= $config['rrdgraph_def_text'].' -c FONT#'.$config['rrdgraph_def_text_color'];
 
 if ($_GET['bg']) {
-    $rrd_options .= ' -c CANVAS#'.mres($_GET['bg']).' ';
+    $rrd_options .= ' -c CANVAS#' . Clean::alphaDash($_GET['bg']) . ' ';
 }
 
 if ($_GET['font']) {
-    $rrd_options .= ' -c FONT#'.mres($_GET['font']).' ';
+    $rrd_options .= ' -c FONT#' . Clean::alphaDash($_GET['font']) . ' ';
 }
 
 // $rrd_options .= " -c BACK#FFFFFF";