Merge pull request #1653 from laf/security-update

Moved forms folder to includes and added some safety checks for non-admin users

html/ajax_form.php

@@ -28,7 +28,7 @@ if (!$_SESSION['authenticated']) {
 }
 
 if (preg_match('/^[a-zA-Z0-9\-]+$/', $_POST['type']) == 1) {
-    if (file_exists('forms/'.$_POST['type'].'.inc.php')) {
-        include_once 'forms/'.$_POST['type'].'.inc.php';
+    if (file_exists('includes/forms/'.$_POST['type'].'.inc.php')) {
+        include_once 'includes/forms/'.$_POST['type'].'.inc.php';
     }
 }

html/includes/forms/callback-clear.inc.php

@@ -12,4 +12,8 @@
  * the source code distribution for details.
  */
 
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 dbUpdate(array('value' => '2'), 'callback', '`name` = "enabled"', array());

html/includes/forms/callback-statistics.inc.php

@@ -12,6 +12,10 @@
  * the source code distribution for details.
  */
 
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 if ($_POST['state'] == 'true') {
     $state = 1;
 }

html/includes/forms/config-item-disable.inc.php

@@ -13,6 +13,11 @@
  */
 
 // FUA
+
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 if (!is_numeric($_POST['config_id'])) {
     echo 'error with data';
     exit;

html/includes/forms/config-item-update.inc.php

@@ -13,6 +13,11 @@
  */
 
 // FUA
+
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 if (!is_numeric($_POST['config_id']) || empty($_POST['data'])) {
     echo 'error with data';
     exit;

html/includes/forms/discovery-module-update.inc.php

@@ -1,6 +1,11 @@
 <?php
 
 // FUA
+
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 $device['device_id'] = $_POST['device_id'];
 $module              = 'discover_'.$_POST['discovery_module'];
 

html/includes/forms/health-update.inc.php

@@ -13,6 +13,11 @@
  */
 
 // FUA
+
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 if (!is_numeric($_POST['device_id']) || !is_numeric($_POST['sensor_id']) || (empty($_POST['data']) || !isset($_POST['data']))) {
     echo 'error with data';
     exit;

html/includes/forms/poller-group-remove.inc.php

@@ -12,6 +12,10 @@
  * the source code distribution for details.
  */
 
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 if (!is_numeric($_POST['group_id'])) {
     echo 'error with data';
     exit;

html/includes/forms/poller-module-update.inc.php

@@ -1,5 +1,9 @@
 <?php
 
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 // FUA
 $device['device_id'] = $_POST['device_id'];
 $module              = 'poll_'.$_POST['poller_module'];

html/includes/forms/rediscover-device.inc.php

@@ -12,6 +12,15 @@
  * the source code distribution for details.
  */
 
+if (is_admin() === false) {
+    $response = array(
+        'status'  => 'error',
+        'message' => 'Need to be admin',
+    );
+    echo _json_encode($response);
+    exit;
+}
+
 // FIXME: Make this part of the API instead of a standalone function
 if (!is_numeric($_POST['device_id'])) {
     $status  = 'error';

html/includes/forms/sensor-alert-reset.inc.php

@@ -13,6 +13,11 @@
  */
 
 // FUA
+
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 for ($x = 0; $x < count($_POST['sensor_id']); $x++) {
     dbUpdate(array('sensor_limit' => $_POST['sensor_limit'][$x], 'sensor_limit_low' => $_POST['sensor_limit_low'][$x], 'sensor_alert' => $_POST['sensor_alert'][$x]), 'sensors', '`sensor_id` = ?', array($_POST['sensor_id'][$x]));
 }

html/includes/forms/sensor-alert-update.inc.php

@@ -13,6 +13,11 @@
  */
 
 // FUA
+
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 if (isset($_POST['sub_type']) && !empty($_POST['sub_type'])) {
     dbUpdate(array('sensor_custom' => 'No'), 'sensors', '`sensor_id` = ?', array($_POST['sensor_id']));
 }

html/includes/forms/storage-update.inc.php

@@ -12,6 +12,15 @@
  * the source code distribution for details.
  */
 
+if (is_admin() === false) {
+    $response = array(
+        'status'  => 'error',
+        'message' => 'Need to be admin',
+    );
+    echo _json_encode($response);
+    exit;
+}
+
 $status  = 'error';
 $message = 'Error updating storage information';
 

html/includes/forms/token-item-create.inc.php

@@ -12,6 +12,10 @@
  * the source code distribution for details.
  */
 
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 if (!is_numeric($_POST['user_id']) || !isset($_POST['token'])) {
     echo 'ERROR: error with data, please ensure a valid user and token have been specified.';
     exit;

html/includes/forms/token-item-disable.inc.php

@@ -12,6 +12,10 @@
  * the source code distribution for details.
  */
 
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 if (!is_numeric($_POST['token_id'])) {
     echo 'error with data';
     exit;

html/includes/forms/token-item-remove.inc.php

@@ -12,6 +12,10 @@
  * the source code distribution for details.
  */
 
+if(is_admin() === false) {
+    die('ERROR: You need to be admin');
+}
+
 if (!is_numeric($_POST['token_id'])) {
     echo 'error with data';
     exit;

html/includes/forms/update-ports.inc.php

@@ -1,5 +1,14 @@
 <?php
 
+if (is_admin() === false) {
+    $response = array(
+        'status'  => 'error',
+        'message' => 'Need to be admin',
+    );
+    echo _json_encode($response);
+    exit;
+}
+
 $status           = 'error';
 $message          = 'Error with config';