Unverified Commit c0c2c445 authored by sc979's avatar sc979 Committed by GitHub
Browse files

fix(security): sanitize http params (#19)

* fix(secu): sanitize http params

* enh check on refresh param

* correct condition
parent 1149efc2
......@@ -4,7 +4,7 @@
<email>contact@centreon.com</email>
<website>http://www.centreon.com</website>
<description>Widget for displaying Host Status and service status Summary</description>
<version>1.0.2</version>
<version>1.0.3</version>
<keywords>centreon, widget, host, monitoring, service</keywords>
<screenshot></screenshot>
<thumbnail>./widgets/tactical-overview/resources/centreon-logo.png</thumbnail>
......@@ -15,6 +15,6 @@
<option value="hosts" label="Hosts"/>
<option value="services" label="Services"/>
</preference>
<preference label="Auto Refresh" name="autoRefresh" defaultValue="30" type="integer"/>
<preference label="Auto Refresh" name="autoRefresh" defaultValue="30" type="text"/>
</preferences>
</configs>
<?php
/**
* Copyright 2005-2011 MERETHIS
* Centreon is developped by : Julien Mathis and Romain Le Merlus under
/*
* Copyright 2005-2020 Centreon
* Centreon is developed by : Julien Mathis and Romain Le Merlus under
* GPL Licence 2.0.
*
* This program is free software; you can redistribute it and/or modify it under
......@@ -19,11 +19,11 @@
* combined work based on this program. Thus, the terms and conditions of the GNU
* General Public License cover the whole combination.
*
* As a special exception, the copyright holders of this program give MERETHIS
* As a special exception, the copyright holders of this program give CENTREON
* permission to link this program with independent modules to produce an executable,
* regardless of the license terms of these independent modules, and to copy and
* distribute the resulting executable under terms of MERETHIS choice, provided that
* MERETHIS also meet, for each linked independent module, the terms and conditions
* distribute the resulting executable under terms of CENTREON choice, provided that
* CENTREON also meet, for each linked independent module, the terms and conditions
* of the license of that module. An independent module is a module which is not
* derived from this program. If you modify this program, you may extend this
* exception to your version of the program, but you are not obliged to do so. If you
......@@ -52,7 +52,7 @@ if (!isset($_SESSION['centreon']) || !isset($_REQUEST['widgetId'])) {
exit;
}
$centreon = $_SESSION['centreon'];
$widgetId = $_REQUEST['widgetId'];
$widgetId = (int)$_REQUEST['widgetId'];
try {
global $pearDB;
......@@ -69,9 +69,9 @@ try {
$widgetObj = new CentreonWidget($centreon, $db_centreon);
$preferences = $widgetObj->getWidgetPreferences($widgetId);
$autoRefresh = 0;
$autoRefresh = 30;
if (isset($preferences['refresh_interval'])) {
$autoRefresh = $preferences['refresh_interval'];
$autoRefresh = (int)$preferences['refresh_interval'];
}
} catch (Exception $e) {
echo $e->getMessage() . "<br/>";
......@@ -82,10 +82,10 @@ $path = $centreon_path . "www/widgets/tactical-overview/src/";
$template = new Smarty();
$template = initSmartyTplForPopup($path, $template, "./", $centreon_path);
if (isset($preferences['object_type']) && $preferences['object_type'] === "hosts") {
if (isset($preferences['object_type'])
&& ($preferences['object_type'] === "hosts" || $preferences['object_type'] === "")
) {
require_once 'src/hosts_status.php';
}else if (isset($preferences['object_type']) && $preferences['object_type'] === "services") {
require_once 'src/services_status.php';
}else if (isset($preferences['object_type']) && $preferences['object_type'] == "") {
require_once 'src/hosts_status.php';
}
<?php
/**
* Copyright 2005-2015 Centreon
* Centreon is developped by : Julien Mathis and Romain Le Merlus under
/*
* Copyright 2005-2020 Centreon
* Centreon is developed by : Julien Mathis and Romain Le Merlus under
* GPL Licence 2.0.
*
* This program is free software; you can redistribute it and/or modify it under
......@@ -19,11 +19,11 @@
* combined work based on this program. Thus, the terms and conditions of the GNU
* General Public License cover the whole combination.
*
* As a special exception, the copyright holders of this program give Centreon
* As a special exception, the copyright holders of this program give CENTREON
* permission to link this program with independent modules to produce an executable,
* regardless of the license terms of these independent modules, and to copy and
* distribute the resulting executable under terms of Centreon choice, provided that
* Centreon also meet, for each linked independent module, the terms and conditions
* distribute the resulting executable under terms of CENTREON choice, provided that
* CENTREON also meet, for each linked independent module, the terms and conditions
* of the license of that module. An independent module is a module which is not
* derived from this program. If you modify this program, you may extend this
* exception to your version of the program, but you are not obliged to do so. If you
......@@ -85,7 +85,9 @@ while ($row = $res->fetchRow()) {
$dataPEND[] = $row;
}
$autoRefresh = $preferences['autoRefresh'];
$autoRefresh = (isset($preferences['refresh_interval']) && (int)$preferences['refresh_interval'] > 0)
? (int)$preferences['refresh_interval']
: 30;
$template->assign('preferences', $preferences);
$template->assign('widgetId', $widgetId);
......
<?php
/**
* Copyright 2005-2015 Centreon
* Centreon is developped by : Julien Mathis AND Romain Le Merlus under
/*
* Copyright 2005-2020 Centreon
* Centreon is developed by : Julien Mathis and Romain Le Merlus under
* GPL Licence 2.0.
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License AS published by the Free Software
* the terms of the GNU General Public License as published by the Free Software
* Foundation ; either version 2 of the License.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY
......@@ -16,14 +16,14 @@
* this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking this program statically or dynamically with other modules is making a
* combined work based on this program. Thus, the terms AND conditions of the GNU
* combined work based on this program. Thus, the terms and conditions of the GNU
* General Public License cover the whole combination.
*
* As a special exception, the copyright holders of this program give Centreon
* As a special exception, the copyright holders of this program give CENTREON
* permission to link this program with independent modules to produce an executable,
* regardless of the license terms of these independent modules, AND to copy and
* distribute the resulting executable under terms of Centreon choice, provided that
* Centreon also meet, for each linked independent module, the terms AND conditions
* regardless of the license terms of these independent modules, and to copy and
* distribute the resulting executable under terms of CENTREON choice, provided that
* CENTREON also meet, for each linked independent module, the terms and conditions
* of the license of that module. An independent module is a module which is not
* derived from this program. If you modify this program, you may extend this
* exception to your version of the program, but you are not obliged to do so. If you
......@@ -109,7 +109,9 @@ while ($row = $res->fetchRow()) {
$dataUNK[] = $row;
}
$autoRefresh = $preferences['autoRefresh'];
$autoRefresh = (isset($preferences['refresh_interval']) && (int)$preferences['refresh_interval'] > 0)
? (int)$preferences['refresh_interval']
: 30;
$template->assign('widgetId', $widgetId);
$template->assign('autoRefresh', $autoRefresh);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment