Sanitize graph input (#10276)

Could execute arbitrary rrdtool commands such as cd and ls.
2024-10-07 16:52:45 +00:00 · 2019-05-31 07:43:12 -05:00
parent eea0d4d359
commit 9faae11381
2 changed files with 31 additions and 7 deletions
--- a/includes/html/graphs/common.inc.php
+++ b/includes/html/graphs/common.inc.php
@@ -1,15 +1,17 @@
 <?php

+use LibreNMS\Util\Clean;
+
 if ($_GET['from']) {
-    $from = mres($_GET['from']);
+    $from = (int)$_GET['from'];
 }

 if ($_GET['to']) {
-    $to = mres($_GET['to']);
+    $to = (int)$_GET['to'];
 }

 if ($_GET['width']) {
-    $width = mres($vars['width']);
+    $width = (int)$_GET['width'];
 }

 if ($config['trim_tobias']) {
@@ -17,7 +19,7 @@ if ($config['trim_tobias']) {
 }

 if ($_GET['height']) {
-    $height = mres($vars['height']);
+    $height = (int)$_GET['height'];
 }

 if ($_GET['inverse']) {
@@ -56,7 +58,7 @@ if ($_GET['title'] == 'yes') {
 }

 if (isset($_GET['graph_title'])) {
-    $rrd_options .= " --title='".$_GET['graph_title']."' ";
+    $rrd_options .= " --title='" . Clean::alphaDashSpace($_GET['graph_title']) . "' ";
 }

 if (!isset($scale_min) && !isset($scale_max)) {
@@ -83,11 +85,11 @@ $rrd_options .= ' -E --start '.$from.' --end '.$to.' --width '.$width.' --height
 $rrd_options .= $config['rrdgraph_def_text'].' -c FONT#'.$config['rrdgraph_def_text_color'];

 if ($_GET['bg']) {
-    $rrd_options .= ' -c CANVAS#'.mres($_GET['bg']).' ';
+    $rrd_options .= ' -c CANVAS#' . Clean::alphaDash($_GET['bg']) . ' ';
 }

 if ($_GET['font']) {
-    $rrd_options .= ' -c FONT#'.mres($_GET['font']).' ';
+    $rrd_options .= ' -c FONT#' . Clean::alphaDash($_GET['font']) . ' ';
 }

 // $rrd_options .= " -c BACK#FFFFFF";