Index: html/graph-realtime.php
===================================================================
--- html/graph-realtime.php (revision 6204)
+++ html/graph-realtime.php (working copy)
@@ -25,16 +25,19 @@
include_once("../includes/snmp.inc.php");
-if (is_numeric($_GET['id']) && ($config['allow_unauth_graphs'] || port_permitted($_GET['id'])))
+// Push $_GET into $vars to be compatible with web interface naming
+$vars = get_vars('GET');
+
+if (is_numeric($vars['id']) && ($config['allow_unauth_graphs'] || port_permitted($vars['id'])))
{
- $port = get_port_by_id($_GET['id']);
+ $port = get_port_by_id($vars['id']);
$device = device_by_id_cache($port['device_id']);
$title = generate_device_link($device);
$title .= " :: Port ".generate_port_link($port);
$auth = TRUE;
} else {
- echo("Unauthenticad");
+ echo("Unauthenticated");
die;
}
@@ -46,19 +49,19 @@
$ifname=htmlentities(@$port['ifDescr']); //Interface name that will be showed on top right of graph
$hostname=short_hostname($device['hostname']);
-if($_GET['title']) { $ifname = $_GET['title']; }
+if($vars['title']) { $ifname = escape_html($vars['title']); }
/********* Other conf *******/
$scale_type="follow"; //Autoscale default setup : "up" = only increase scale; "follow" = increase and decrease scale according to current graphed datas
$nb_plot=240; //NB plot in graph
-if(is_numeric($_GET['interval'])) {
- $time_interval=$_GET['interval'];
+if(is_numeric($vars['interval'])) {
+ $time_interval=$vars['interval'];
} else {
$time_interval=1; //Refresh time Interval
}
-$fetch_link = "data.php?id=".$_GET['id'];
+$fetch_link = "data.php?id=".$vars['id'];
//SVG attributes
$attribs['axis']='fill="black" stroke="black"';
Index: html/includes/functions.inc.php
===================================================================
--- html/includes/functions.inc.php (revision 6204)
+++ html/includes/functions.inc.php (working copy)
@@ -612,14 +612,16 @@
// TESTME needs unit testing
// DOCME needs phpdoc block
-function generate_overlib_content($graph_array, $text = NULL)
+function generate_overlib_content($graph_array, $text = NULL, $escape = TRUE)
{
global $config;
$graph_array['height'] = "100";
$graph_array['width'] = "210";
+
+ if ($escape) { $text = htmlspecialchars($text, ENT_QUOTES, 'UTF-8'); }
- $overlib_content = '<div style="width: 590px;"><span style="font-weight: bold; font-size: 16px;">'.$text."</span><br />";
+ $overlib_content = '<div style="width: 590px;"><span style="font-weight: bold; font-size: 16px;">'.$text.'</span><br />';
foreach (array('day', 'week', 'month', 'year') as $period)
{
$graph_array['from'] = $config['time'][$period];
@@ -667,9 +669,9 @@
<tr class="'.$device['html_row_class'].'" style="font-size: 10pt;">
<td style="width: 10px; background-color: '.$device['html_tab_colour'].'; margin: 0px; padding: 0px"></td>
<td width="40" style="padding: 10px; text-align: center; vertical-align: middle;">'.getImage($device).'</td>
- <td width="200"><a href="#" class="'.$class.'" style="font-size: 15px; font-weight: bold;">'.$device['hostname'].'</a><br />'. htmlspecialchars(truncate($device['location'],64, '')) .'</td>
- <td>'.htmlspecialchars($device['hardware']).' <br /> '.$device['os_text'].' '.$device['version'].'</td>
- <td>'.deviceUptime($device, 'short').'<br />'.htmlspecialchars($device['sysName']).'
+ <td width="200"><a href="#" class="'.$class.'" style="font-size: 15px; font-weight: bold;">'.escape_html($device['hostname']).'</a><br />'. escape_html(truncate($device['location'],64, '')) .'</td>
+ <td>'.escape_html($device['hardware']).' <br /> '.$device['os_text'].' '.escape_html($device['version']).'</td>
+ <td>'.deviceUptime($device, 'short').'<br />'.escape_html($device['sysName']).'
</tr>
</table>
';
@@ -756,6 +758,8 @@
$url = generate_device_url($device, $vars);
//$link = overlib_link($url, $text, $contents, $class, $escape);
+ if ($escape) { $text = htmlspecialchars($text, ENT_QUOTES, 'UTF-8'); }
+
return '<a href="'.$url.'" class="entity-popup '.$class.'" data-eid="'.$device['device_id'].'" data-etype="device">'.$text.'</a>';
}
Index: html/includes/graphs/common.inc.php
===================================================================
--- html/includes/graphs/common.inc.php (revision 6204)
+++ html/includes/graphs/common.inc.php (working copy)
@@ -11,13 +11,12 @@
*
*/
-# FIXME why are we mres()'ing these?! see below too
-if ($vars['from']) { $from = mres($vars['from']); }
-if ($vars['to']) { $to = mres($vars['to']); }
+if ($vars['from']) { $from = $vars['from']; }
+if ($vars['to']) { $to = $vars['to']; }
-if ($vars['width']) { $width = mres($vars['width']); }
+if ($vars['width']) { $width = $vars['width']; }
if ($config['trim_tobias']) { $width+=12; }
-if ($vars['height']) { $height = mres($vars['height']); }
+if ($vars['height']) { $height = $vars['height']; }
if ($vars['inverse']) { $in = 'out'; $out = 'in'; $inverse = TRUE; } else { $in = 'in'; $out = 'out'; $inverse = FALSE; }
@@ -58,8 +57,7 @@
$rrd_options .= ' --start '.$from.' --end ' . $to . ' --width '.$width.' --height '.$height.' ';
$rrd_options .= $config['rrdgraph_def_text'];
-# FIXME mres? that's not for fixing commandline injection... we don't pass this on commandline, luckily... :-)
-if ($vars['bg']) { $rrd_options .= ' -c CANVAS#' . mres($vars['bg']) . ' '; }
+if ($vars['bg']) { $rrd_options .= ' -c CANVAS#' . $vars['bg'] . ' '; }
#$rrd_options .= ' -c BACK#FFFFFF';
Index: html/includes/graphs/generic_definition.inc.php
===================================================================
--- html/includes/graphs/generic_definition.inc.php (revision 6204)
+++ html/includes/graphs/generic_definition.inc.php (working copy)
@@ -23,7 +23,7 @@
if (isset($graph_def['log_y']) && $graph_def['log_y'] == TRUE) { $log_y = TRUE; } else { unset($log_y); } // Strange, if $log_y set to FALSE anyway legend logarifmic
if (isset($graph_def['no_mag']) && $graph_def['no_mag'] == TRUE) { $mag_unit = "' '"; } else { $mag_unit = '%S'; }
if (isset($graph_def['num_fmt'])) { $num_fmt = $graph_def['num_fmt']; } else { $num_fmt = '6.1'; }
-if (isset($graph_def['nototal'])) { $nototal = $graph_def['nototal']; } else { $no_total = TRUE; }
+if (isset($graph_def['nototal'])) { $nototal = $graph_def['nototal']; } else { $nototal = TRUE; }
include_once($config['html_dir'] . '/includes/graphs/common.inc.php');
include_once($config['html_dir'] . '/includes/graphs/legend.inc.php');
Index: html/includes/hostbox-basic.inc.php
===================================================================
--- html/includes/hostbox-basic.inc.php (revision 6204)
+++ html/includes/hostbox-basic.inc.php (working copy)
@@ -45,11 +45,11 @@
<td style="width: 300;"><span class="'.$class.'">' . generate_device_link($device) . '</span></td>'
);
-echo(' <td>' . $device['hardware'] . ' ' . $device['features'] . '</td>');
-echo(' <td>' . $device['os_text'] . ' ' . $device['version'] . '</td>');
+echo(' <td>' . escape_html($device['hardware']) . ' ' . escape_html($device['features']) . '</td>');
+echo(' <td>' . $device['os_text'] . ' ' . escape_html($device['version']) . '</td>');
echo(' <td>' . deviceUptime($device, 'short') . ' <br />');
-echo(' ' . htmlspecialchars(truncate($device['location'],32, '')) . '</td>');
+echo(' ' . escape_html(truncate($device['location'],32, '')) . '</td>');
echo(' </tr>');
Index: html/includes/hostbox.inc.php
===================================================================
--- html/includes/hostbox.inc.php (revision 6204)
+++ html/includes/hostbox.inc.php (working copy)
@@ -21,7 +21,7 @@
<td style="width: 1px; background-color: '.$device['html_tab_colour'].'; margin: 0px; padding: 0px"></td>
<td style="width: 64px; text-align: center; vertical-align: middle;">' . getImage($device) . '</td>
<td style="width: 300px;"><span class="entity-title">' . generate_device_link($device) . '</span>
- <br />' . htmlspecialchars(truncate($device['location'],32, '')) . '</td>'
+ <br />' . escape_html(truncate($device['location'],32, '')) . '</td>'
);
echo('<td style="width: 55px;">');
@@ -29,11 +29,11 @@
echo('<br />');
if ($sensor_count) { echo(' <i class="oicon-dashboard"></i> '.$sensor_count); }
echo('</td>');
-echo(' <td >' . $device['hardware'] . '<br />' . $device['features'] . '</td>');
-echo(' <td >' . $device['os_text'] . '<br />' . $device['version'] . '</td>');
+echo(' <td >' . escape_html($device['hardware']) . '<br />' . escape_html($device['features']) . '</td>');
+echo(' <td >' . $device['os_text'] . '<br />' . escape_html($device['version']) . '</td>');
echo(' <td >' . deviceUptime($device, 'short') . ' <br />');
-echo(' ' . htmlspecialchars($device['sysName']) . '</td>');
+echo(' ' . escape_html($device['sysName']) . '</td>');
echo(' </tr>');
Index: html/includes/map/google-mc.inc.php
===================================================================
--- html/includes/map/google-mc.inc.php (revision 6204)
+++ html/includes/map/google-mc.inc.php (working copy)
@@ -99,17 +99,17 @@
$location_name = "";
if ($num_down > 0)
{
- $location_name = ($lon['down_hosts'][0]['location'] === '' ? OBS_VAR_UNSET : strtr(htmlspecialchars($lon['down_hosts'][0]['location']), "'", "`"));
+ $location_name = ($lon['down_hosts'][0]['location'] === '' ? OBS_VAR_UNSET : strtr(escape_html($lon['down_hosts'][0]['location']), "'", "`"));
$location_url = generate_location_url($lon['down_hosts'][0]['location']);
$tooltip .= "\\n\\nDown hosts:";
foreach ($lon["down_hosts"] as $down_host) {
- $tooltip .= "\\n" . $down_host['hostname'];
+ $tooltip .= "\\n" . escape_html($down_host['hostname']);
}
}
elseif ($num_up > 0)
{
- $location_name = ($lon['up_hosts'][0]['location'] === '' ? OBS_VAR_UNSET : strtr(htmlspecialchars($lon['up_hosts'][0]['location']), "'", "`"));
+ $location_name = ($lon['up_hosts'][0]['location'] === '' ? OBS_VAR_UNSET : strtr(escape_html($lon['up_hosts'][0]['location']), "'", "`"));
$location_url = generate_location_url($lon['up_hosts'][0]['location']);
}
Index: html/includes/print/arptable.inc.php
===================================================================
--- html/includes/print/arptable.inc.php (revision 6204)
+++ html/includes/print/arptable.inc.php (working copy)
@@ -60,8 +60,7 @@
$param[] = '%'.$value.'%';
} else {
$where .= ' AND `mac_address` LIKE ?';
- // FIXME hm? mres in a dbFacile parameter?
- $param[] = '%'.str_replace(array(':', ' ', '-', '.', '0x'),'',mres($value)).'%';
+ $param[] = '%'.str_replace(array(':', ' ', '-', '.', '0x'),'', $value).'%';
}
break;
}
Index: html/includes/print/authlog.inc.php
===================================================================
--- html/includes/print/authlog.inc.php (revision 6204)
+++ html/includes/print/authlog.inc.php (working copy)
@@ -45,7 +45,7 @@
$string .= '
<tr'.$class.'>
<td>'.$entry['datetime'].'</td>
- <td>'.$entry['user'].'</td>
+ <td>'.escape_html($entry['user']).'</td>
<td>'.$entry['address'].'</td>
<td>'.$entry['result'].'</td>
</tr>' . PHP_EOL;
Index: html/includes/print/dot1xtable.inc.php
===================================================================
--- html/includes/print/dot1xtable.inc.php (revision 6204)
+++ html/includes/print/dot1xtable.inc.php (working copy)
@@ -47,8 +47,7 @@
$param[] = '%'.$value.'%';
} else if (isset($vars['searchby']) && $vars['searchby'] == 'mac') {
$where .= ' AND `M`.`mac_addr` LIKE ?';
- // FIXME hm? mres in a dbFacile parameter?
- $param[] = '%'.str_replace(array(':', ' ', '-', '.', '0x'),'',mres($value)).'%';
+ $param[] = '%'.str_replace(array(':', ' ', '-', '.', '0x'),'', $value).'%';
} else {
$where .= ' AND `username` LIKE ?';
$value = trim($value);
Index: html/includes/print/fdbtable.inc.php
===================================================================
--- html/includes/print/fdbtable.inc.php (revision 6204)
+++ html/includes/print/fdbtable.inc.php (working copy)
@@ -57,8 +57,7 @@
break;
case 'address':
$where .= ' AND F.`mac_address` LIKE ?';
- # FIXME hm? mres in a dbFacile parameter?
- $param[] = '%'.str_replace(array(':', ' ', '-', '.', '0x'),'',mres($value)).'%';
+ $param[] = '%'.str_replace(array(':', ' ', '-', '.', '0x'),'', $value).'%';
break;
}
}
Index: html/includes/print/mac_addresses.inc.php
===================================================================
--- html/includes/print/mac_addresses.inc.php (revision 6204)
+++ html/includes/print/mac_addresses.inc.php (working copy)
@@ -47,8 +47,7 @@
break;
case 'address':
$where .= ' AND `ifPhysAddress` LIKE ?';
- # FIXME hm? mres in a dbFacile parameter?
- $param[] = '%'.str_replace(array(':', ' ', '-', '.', '0x'),'',mres($value)).'%';
+ $param[] = '%'.str_replace(array(':', ' ', '-', '.', '0x'),'', $value).'%';
break;
}
}
Index: html/includes/print/search.inc.php
===================================================================
--- html/includes/print/search.inc.php (revision 6204)
+++ html/includes/print/search.inc.php (working copy)
@@ -394,7 +394,7 @@
$string .= ' selected';
}
- $string .= '>'.$name.'</option> ';
+ $string .= '>'.escape_html($name).'</option> '; // FIXME location values is double escaped!
}
$string .= PHP_EOL . ' </select>' . PHP_EOL;
// End 'select' & 'multiselect'
Index: html/pages/add_alert_check.inc.php
===================================================================
--- html/pages/add_alert_check.inc.php (revision 6204)
+++ html/pages/add_alert_check.inc.php (working copy)
@@ -21,7 +21,7 @@
exit;
}
- if (isset($_POST['submit']) && $_POST['submit'] == "add_alert_check")
+ if (isset($vars['submit']) && $vars['submit'] == "add_alert_check")
{
echo '<div class="alert alert-info">
<button type="button" class="close" data-dismiss="alert">×</button>
@@ -30,7 +30,7 @@
foreach (array('entity_type', 'alert_name', 'alert_severity', 'check_conditions', 'assoc_device_conditions', 'assoc_entity_conditions') as $var)
{
- if (!isset($_POST[$var]) || strlen($_POST[$var]) == '0') { echo("Missing required data.</div>"); break 2; }
+ if (!isset($vars[$var]) || strlen($vars[$var]) == '0') { echo("Missing required data.</div>"); break 2; }
}
$check_array = array();
@@ -43,14 +43,14 @@
}
$check_array['conditions'] = json_encode($conds);
- $check_array['entity_type'] = $_POST['entity_type'];
- $check_array['alert_name'] = $_POST['alert_name'];
- $check_array['alert_message'] = $_POST['alert_message'];
- $check_array['severity'] = $_POST['alert_severity'];
- $check_array['suppress_recovery'] = ($_POST['alert_send_recovery'] == 'on' ? 0 : 1);
+ $check_array['entity_type'] = $vars['entity_type'];
+ $check_array['alert_name'] = $vars['alert_name'];
+ $check_array['alert_message'] = $vars['alert_message'];
+ $check_array['severity'] = $vars['alert_severity'];
+ $check_array['suppress_recovery'] = ($vars['alert_send_recovery'] == 'on' ? 0 : 1);
$check_array['alerter'] = NULL;
- $check_array['and'] = $_POST['alert_and'];
- $check_array['delay'] = $_POST['alert_delay'];
+ $check_array['and'] = $vars['alert_and'];
+ $check_array['delay'] = $vars['alert_delay'];
$check_array['enable'] = '1';
$check_id = dbInsert('alert_tests', $check_array);
@@ -59,7 +59,7 @@
echo('<p>Alert inserted as <a href="'.generate_url(array('page' => 'alert_check', 'alert_test_id' => $check_id)).'">'.$check_id.'</a></p>');
$assoc_array = array();
$assoc_array['alert_test_id'] = $check_id;
- $assoc_array['entity_type'] = $_POST['entity_type'];
+ $assoc_array['entity_type'] = $vars['entity_type'];
$assoc_array['enable'] = '1';
$dev_conds = array();
foreach (explode("\n", $vars['assoc_device_conditions']) AS $cond)
Index: html/pages/addhost.inc.php
===================================================================
--- html/pages/addhost.inc.php (revision 6204)
+++ html/pages/addhost.inc.php (working copy)
@@ -22,33 +22,34 @@
echo('<div class="well well-white">');
-if ($_POST['hostname'])
+if ($vars['hostname'])
{
if ($_SESSION['userlevel'] > '5')
{
- $hostname = $_POST['hostname'];
+ $hostname = strip_tags($vars['hostname']);
+ $community = strip_tags($vars['community']);
- if ($_POST['port'] && is_numeric($_POST['port'])) { $port = (int) $_POST['port']; } else { $port = 161; }
+ if ($vars['port'] && is_numeric($vars['port'])) { $port = (int) $vars['port']; } else { $port = 161; }
- if ($_POST['snmpver'] === "v2c" or $_POST['snmpver'] === "v1")
+ if ($vars['snmpver'] === "v2c" or $vars['snmpver'] === "v1")
{
- if ($_POST['community'])
+ if ($vars['community'])
{
- $config['snmp']['community'] = array($_POST['community']);
+ $config['snmp']['community'] = array($community);
}
- $snmpver = $_POST['snmpver'];
+ $snmpver = $vars['snmpver'];
print_message("Adding host $hostname communit" . (count($config['snmp']['community']) == 1 ? "y" : "ies") . " " . implode(', ',$config['snmp']['community']) . " port $port");
}
- elseif ($_POST['snmpver'] === "v3")
+ elseif ($vars['snmpver'] === "v3")
{
$v3 = array (
- 'authlevel' => $_POST['authlevel'],
- 'authname' => $_POST['authname'],
- 'authpass' => $_POST['authpass'],
- 'authalgo' => $_POST['authalgo'],
- 'cryptopass' => $_POST['cryptopass'],
- 'cryptoalgo' => $_POST['cryptoalgo'],
+ 'authlevel' => $vars['authlevel'],
+ 'authname' => $vars['authname'],
+ 'authpass' => $vars['authpass'],
+ 'authalgo' => $vars['authalgo'],
+ 'cryptopass' => $vars['cryptopass'],
+ 'cryptoalgo' => $vars['cryptoalgo'],
);
array_push($config['snmp']['v3'], $v3);
@@ -62,7 +63,7 @@
print_error("Unsupported SNMP Version. There was a dropdown menu, how did you reach this error ?"); // We have a hacker!
}
- if ($_POST['ignorerrd'] == 'confirm') { $config['rrd_override'] = TRUE; }
+ if ($vars['ignorerrd'] == 'confirm') { $config['rrd_override'] = TRUE; }
$result = add_device($hostname, $snmpver, $port);
if ($result)
@@ -126,7 +127,7 @@
<div class="control-group">
<label class="control-label" for="community">SNMP Community</label>
<div class="controls">
- <input type="text" name="community" size="32" value="<?php echo $vars['community']; ?>"/>
+ <input type="text" name="community" size="32" value="<?php echo $community; ?>"/>
</div>
</div>
</fieldset>
Index: html/pages/adduser.inc.php
===================================================================
--- html/pages/adduser.inc.php (revision 6204)
+++ html/pages/adduser.inc.php (working copy)
@@ -24,22 +24,23 @@
if (auth_usermanagement())
{
- if ($_POST['action'] == "add")
+ if ($vars['action'] == "add")
{
- if ($_POST['new_username'])
+ if ($vars['new_username'])
{
- if (!auth_user_exists($_POST['new_username']))
+ $vars['new_username'] = strip_tags($vars['new_username']);
+ if (!auth_user_exists($vars['new_username']))
{
- if (isset($_POST['can_modify_passwd']))
+ if (isset($vars['can_modify_passwd']))
{
- $_POST['can_modify_passwd'] = 1;
+ $vars['can_modify_passwd'] = 1;
} else {
- $_POST['can_modify_passwd'] = 0;
+ $vars['can_modify_passwd'] = 0;
}
- if (adduser($_POST['new_username'], $_POST['new_password'], $_POST['new_level'], $_POST['new_email'], $_POST['new_realname'], $_POST['can_modify_passwd'], $_POST['new_description']))
+ if (adduser($vars['new_username'], $vars['new_password'], $vars['new_level'], $vars['new_email'], $vars['new_realname'], $vars['can_modify_passwd'], $vars['new_description']))
{
- print_success('User ' . $_POST['new_username'] . ' added!');
+ print_success('User ' . escape_html($vars['new_username']) . ' added!');
}
} else {
print_error('User with this name already exists!');
@@ -48,7 +49,7 @@
$errors["username"] = "<span class=\"help-inline\">Please enter a username!</span>";
}
- if (!$_POST['new_password'])
+ if (!$vars['new_password'])
{
$errors["passwd"] = "<span class=\"help-inline\">Please enter a password</span>";
}
@@ -68,14 +69,14 @@
<div class="control-group<?php if (isset($errors["username"])) { echo " error"; } ?>">
<label class="control-label" for="new_username"><strong>Username</strong></label>
<div class="controls">
- <input class="col-lg-4" type="text" name="new_username" value="<?php echo $_POST['new_username']; ?>">
+ <input class="col-lg-4" type="text" name="new_username" value="<?php echo $vars['new_username']; ?>">
<?php if (isset($errors["username"])) { echo $errors["username"]; } ?>
</div>
</div>
<div class="control-group<?php if (isset($errors["passwd"])) { echo " error"; } ?>">
<label class="control-label" for="new_password"><strong>Password</strong></label>
<div class="controls">
- <input class="col-lg-4" type="password" name="new_password" value="<?php echo $_POST['new_password']; ?>">
+ <input class="col-lg-4" type="password" name="new_password" value="<?php echo $vars['new_password']; ?>">
<?php if (isset($errors["passwd"])) { echo $errors["passwd"]; } ?>
<input type="checkbox" checked="checked" name="can_modify_passwd"> Allow the user to change his password.
</div>
@@ -83,16 +84,16 @@
<div class="control-group">
<label class="control-label" for="new_realname"><strong>Real Name</strong></label>
<div class="controls">
- <input class="col-lg-4" type="text" name="new_realname" value="<?php echo $_POST['new_realname']; ?>">
+ <input class="col-lg-4" type="text" name="new_realname" value="<?php echo $vars['new_realname']; ?>">
</div>
</div>
<div class="control-group">
<label class="control-label" for="new_level"><strong>User Level</strong></label>
<div class="controls">
<select name="new_level" class="col-lg-2">
- <option <?php if ($_POST['new_level'] == "1") { echo "selected"; } ?> value="1">Normal User</option>
- <option <?php if ($_POST['new_level'] == "5") { echo "selected"; } ?> value="5">Global Read</option>
- <option <?php if ($_POST['new_level'] == "10") { echo "selected"; } ?> value="10">Administrator</option>
+ <option <?php if ($vars['new_level'] == "1") { echo "selected"; } ?> value="1">Normal User</option>
+ <option <?php if ($vars['new_level'] == "5") { echo "selected"; } ?> value="5">Global Read</option>
+ <option <?php if ($vars['new_level'] == "10") { echo "selected"; } ?> value="10">Administrator</option>
</select>
</div>
</div>
@@ -102,13 +103,13 @@
<div class="control-group">
<label class="control-label" for="new_email"><strong>E-mail</strong></label>
<div class="controls">
- <input class="col-lg-4" type="text" name="new_email" value="<?php echo $_POST['new_email']; ?>">
+ <input class="col-lg-4" type="text" name="new_email" value="<?php echo $vars['new_email']; ?>">
</div>
</div>
<div class="control-group">
<label class="control-label" for="new_description"><strong>Description</strong></label>
<div class="controls">
- <input class="col-lg-4" type="text" name="new_description" value="<?php echo $_POST['new_description']; ?>">
+ <input class="col-lg-4" type="text" name="new_description" value="<?php echo $vars['new_description']; ?>">
</div>
</div>
</fieldset>
@@ -120,7 +121,7 @@
</div>
<?php
} else {
- echo("<div class=\"alert alert-error\">Auth module does not allow user management!</div>");
+ print_error('Auth module does not allow user management!');
}
} else {
include("includes/error-no-perm.inc.php");
Index: html/pages/alert_check.inc.php
===================================================================
--- html/pages/alert_check.inc.php (revision 6204)
+++ html/pages/alert_check.inc.php (working copy)
@@ -143,8 +143,8 @@
<tr>
<td>', $check['alert_test_id'], '</td>
<td>', '<i class="',$config['entities'][$check['entity_type']]['icon'],'"></i> ', nicecase($check['entity_type']), '</td>
- <td>', $check['alert_name'], '</td>
- <td><i>', $check['alert_message'], '</i></td>
+ <td>', escape_html($check['alert_name']), '</td>
+ <td><i>', escape_html($check['alert_message']), '</i></td>
<td>'; // FUCK THIS COMMA SHIT IT IS HIGHLY ANNOYING -T
if ($check['suppress_recovery']) { echo('<div style="text-decoration: line-through" title="Recovery notification suppressed">R</div>'); }
echo '</td>
@@ -202,9 +202,9 @@
{
$condition_text[] = $condition['metric'].' '.$condition['condition'].' '.$condition['value'];
echo '<tr>';
- echo '<td>'.$condition['metric'].'</td>';
- echo '<td>'.$condition['condition'].'</td>';
- echo '<td>'.$condition['value'].'</td>';
+ echo '<td>'.escape_html($condition['metric']).'</td>';
+ echo '<td>'.escape_html($condition['condition']).'</td>';
+ echo '<td>'.escape_html($condition['value']).'</td>';
echo '</tr>';
}
@@ -244,9 +244,9 @@
{
foreach ($assoc['device_attribs'] as $attribute)
{
- echo($attribute['attrib'].' ');
- echo($attribute['condition'].' ');
- echo($attribute['value']);
+ echo(escape_html($attribute['attrib']).' ');
+ echo(escape_html($attribute['condition']).' ');
+ echo(escape_html($attribute['value']));
echo('<br />');
$assoc_dev_text[] = $attribute['attrib'].' '.$attribute['condition'].' '.$attribute['value'];
}
@@ -263,9 +263,9 @@
{
foreach ($assoc['entity_attribs'] as $attribute)
{
- echo($attribute['attrib'].' ');
- echo($attribute['condition'].' ');
- echo($attribute['value']);
+ echo(escape_html($attribute['attrib']).' ');
+ echo(escape_html($attribute['condition']).' ');
+ echo(escape_html($attribute['value']));
echo('<br />');
$assoc_entity_text[] = $attribute['attrib'].' '.$attribute['condition'].' '.$attribute['value'];
}
@@ -543,7 +543,7 @@
<div class="control-group">
<label class="control-label" for="alert_message">Message</label>
<div class="controls">
- <textarea class="form-control col-md-12" name="alert_message" rows="3" placeholder="Alert message."/><?php echo(htmlspecialchars($check['alert_message'])); ?></textarea>
+ <textarea class="form-control col-md-12" name="alert_message" rows="3" placeholder="Alert message."/><?php echo(escape_html($check['alert_message'])); ?></textarea>
</div>
</div>
Index: html/pages/alert_checks.inc.php
===================================================================
--- html/pages/alert_checks.inc.php (revision 6204)
+++ html/pages/alert_checks.inc.php (working copy)
@@ -91,8 +91,8 @@
echo '</td>';
echo '<td><strong>';
- echo '<a href="', generate_url(array('page' => 'alert_check', 'alert_test_id' => $check['alert_test_id'])), '">' . $check['alert_name']. '</a></strong><br />';
- echo '<small>',$check['alert_message'],'</small>';
+ echo '<a href="', generate_url(array('page' => 'alert_check', 'alert_test_id' => $check['alert_test_id'])), '">' . escape_html($check['alert_name']). '</a></strong><br />';
+ echo '<small>',escape_html($check['alert_message']),'</small>';
echo '</td>';
// Loop the tests used by this alert
@@ -164,4 +164,4 @@
echo '</table>';
-?>
+// EOF
Index: html/pages/bill/edit.inc.php
===================================================================
--- html/pages/bill/edit.inc.php (revision 6204)
+++ html/pages/bill/edit.inc.php (working copy)
@@ -207,9 +207,7 @@
}
if (!$emptyCheck)
{
- echo(' <div class="alert alert-info">' . PHP_EOL);
- echo(' <i class="icon-info-sign"></i> There are no ports assigned to this bill' . PHP_EOL);
- echo(' </div>' . PHP_EOL);
+ print_warning('There are no ports assigned to this bill');
}
}
Index: html/pages/bills.inc.php
===================================================================
--- html/pages/bills.inc.php (revision 6204)
+++ html/pages/bills.inc.php (working copy)
@@ -32,7 +32,7 @@
$isAdmin = (($_SESSION['userlevel'] == "10") ? true : false);
$isUser = bill_permitted($bill_id);
-if ($vars['addbill'] == "yes")
+if ($vars['addbill'] == "yes" && !empty($vars['bill_name']))
{
$updated = '1';
Index: html/pages/bills/add.inc.php
===================================================================
--- html/pages/bills/add.inc.php (revision 6204)
+++ html/pages/bills/add.inc.php (working copy)
@@ -15,6 +15,8 @@
$links['this'] = generate_url($vars);
$links['bills'] = generate_url(array('page' => 'bills'));
+if ($_SESSION['userlevel'] == "10") {
+
?>
<div class="tabBox">
@@ -22,7 +24,6 @@
<li class="active"><a href="#properties" data-toggle="tab">Bill Properties</a></li>
<?php
-if ($_SESSION['userlevel'] == "10") {
if (is_numeric($vars['port'])) {
$billingport = dbFetchRow("SELECT * FROM `ports` AS P, `devices` AS D WHERE `port_id` = ? AND D.device_id = P.device_id", array($vars['port']));
echo(" <li><a href=\"#ports\" data-toggle=\"tab\">Billed Ports</a></li>\n");
@@ -147,7 +148,8 @@
<?php
} else {
- echo("<div class=\"alert alert-error\"><i class=\"icon-warning-sign\"></i> <strong>Error!</strong><br />You don't have administration rights to create a new bill.</div>");
+ print_error("<h4>Error!</h4>
+ You don't have administration rights to create a new bill.");
}
-?>
+// EOF
Index: html/pages/bills/search.inc.php
===================================================================
--- html/pages/bills/search.inc.php (revision 6204)
+++ html/pages/bills/search.inc.php (working copy)
@@ -18,7 +18,7 @@
if (bill_permitted($customers['entity_id'])) {
$customer = dbFetchRow("SELECT * FROM `users` WHERE `user_id` = ? ORDER BY `user_id`", array($customers['user_id']));
$name = (empty($customer['realname']) ? $customer['username'] : $customer['realname']);
- $select = (($_POST['billinguser'] == $customer['user_id']) ? " selected" : "");
+ $select = (($vars['billinguser'] == $customer['user_id']) ? " selected" : "");
$users[$customer['user_id']] = $name;
}
}
Index: html/pages/bills/searchaction.inc.php
===================================================================
--- html/pages/bills/searchaction.inc.php (revision 6204)
+++ html/pages/bills/searchaction.inc.php (working copy)
@@ -11,11 +11,11 @@
*
*/
-if (isset($_POST['billsearch']))
+if (isset($vars['billsearch']))
{
$where = " WHERE 1 ";
$param = array();
- foreach ($_POST as $item=>$value)
+ foreach ($vars as $item=>$value)
{
if (!empty($value))
{
Index: html/pages/device.inc.php
===================================================================
--- html/pages/device.inc.php (revision 6204)
+++ html/pages/device.inc.php (working copy)
@@ -93,7 +93,7 @@
$device_state = unserialize($device['device_state']);
// Add the device hostname to the page title array
- $pagetitle[] = $device['hostname'];
+ $pagetitle[] = escape_html($device['hostname']);
// If the device's OS type has a group, set the device's os_group
if ($config['os'][$device['os']]['group']) { $device['os_group'] = $config['os'][$device['os']]['group']; }
Index: html/pages/device/edit/agent.inc.php
===================================================================
--- html/pages/device/edit/agent.inc.php (revision 6204)
+++ html/pages/device/edit/agent.inc.php (working copy)
@@ -11,11 +11,11 @@
*
*/
-if ($_POST['editing'])
+if ($vars['editing'])
{
if ($_SESSION['userlevel'] > "7")
{
- $agent_port = $_POST['agent_port'];
+ $agent_port = $vars['agent_port'];
if ($agent_port == "")
{
Index: html/pages/device/edit/alerts.inc.php
===================================================================
--- html/pages/device/edit/alerts.inc.php (revision 6204)
+++ html/pages/device/edit/alerts.inc.php (working copy)
@@ -11,13 +11,13 @@
*
*/
-if ($_POST['editing'])
+if ($vars['editing'])
{
if ($_SESSION['userlevel'] > "7")
{
- $override_sysContact_bool = mres($_POST['override_sysContact']); # FIXME not sure if this mres is needed, it's sent to dbFacile? or doesn't set dev attrib use that?
- if (isset($_POST['sysContact'])) { $override_sysContact_string = mres($_POST['sysContact']); }
- $disable_notify = mres($_POST['disable_notify']);
+ $override_sysContact_bool = $vars['override_sysContact'];
+ if (isset($vars['sysContact'])) { $override_sysContact_string = $vars['sysContact']; }
+ $disable_notify = $vars['disable_notify'];
if ($override_sysContact_bool) { set_dev_attrib($device, 'override_sysContact_bool', '1'); } else { del_dev_attrib($device, 'override_sysContact_bool'); }
if (isset($override_sysContact_string)) { set_dev_attrib($device, 'override_sysContact_string', $override_sysContact_string); };
Index: html/pages/device/edit/device.inc.php
===================================================================
--- html/pages/device/edit/device.inc.php (revision 6204)
+++ html/pages/device/edit/device.inc.php (working copy)
@@ -11,14 +11,14 @@
*
*/
-if ($_POST['editing'])
+if ($vars['editing'])
{
if ($_SESSION['userlevel'] > "7")
{
$updated = 0;
- $override_sysLocation_bool = $_POST['override_sysLocation'];
- if (isset($_POST['sysLocation'])) { $override_sysLocation_string = $_POST['sysLocation']; }
+ $override_sysLocation_bool = $vars['override_sysLocation'];
+ if (isset($vars['sysLocation'])) { $override_sysLocation_string = $vars['sysLocation']; }
if (get_dev_attrib($device,'override_sysLocation_bool') != $override_sysLocation_bool
|| get_dev_attrib($device,'override_sysLocation_string') != $override_sysLocation_string)
@@ -32,19 +32,19 @@
# FIXME needs more sanity checking! and better feedback
# FIXME -- update location too? Need to trigger geolocation!
- $param = array('purpose' => $_POST['descr'], 'type' => $_POST['type'], 'ignore' => $_POST['ignore'], 'disabled' => $_POST['disabled']);
+ $param = array('purpose' => $vars['descr'], 'type' => $vars['type'], 'ignore' => $vars['ignore'], 'disabled' => $vars['disabled']);
$rows_updated = dbUpdate($param, 'devices', '`device_id` = ?', array($device['device_id']));
if ($rows_updated > 0 || $updated)
{
- if ((bool)$_POST['ignore'] != (bool)$device['ignore'])
+ if ((bool)$vars['ignore'] != (bool)$device['ignore'])
{
- log_event('Device '.((bool)$_POST['ignore'] ? 'ignored' : 'attended').': '.$device['hostname'], $device['device_id'], 'device');
+ log_event('Device '.((bool)$vars['ignore'] ? 'ignored' : 'attended').': '.$device['hostname'], $device['device_id'], 'device');
}
- if ((bool)$_POST['disabled'] != (bool)$device['disabled'])
+ if ((bool)$vars['disabled'] != (bool)$device['disabled'])
{
- log_event('Device '.((bool)$_POST['disabled'] ? 'disabled' : 'enabled').': '.$device['hostname'], $device['device_id'], 'device');
+ log_event('Device '.((bool)$vars['disabled'] ? 'disabled' : 'enabled').': '.$device['hostname'], $device['device_id'], 'device');
}
$update_message = "Device record updated.";
if ($updated == 2) { $update_message.= " Please note that the updated sysLocation string will only be visible after the next poll."; }
Index: html/pages/device/edit/geo.inc.php
===================================================================
--- html/pages/device/edit/geo.inc.php (revision 6204)
+++ html/pages/device/edit/geo.inc.php (working copy)
@@ -12,7 +12,7 @@
*
*/
-if ($_POST['editing'])
+if ($vars['editing'])
{
if (get_db_version() < 169)
{
@@ -23,13 +23,13 @@
{
$updated = 0;
- if ($_POST['submit'] == 'save')
+ if ($vars['submit'] == 'save')
{
- if ((bool)$_POST['location_manual'])
+ if ((bool)$vars['location_manual'])
{
// Set manual coordinates if present
$pattern = '/(?:^|[\[(])\s*(?<lat>[+-]?\d+(?:\.\d+)*)\s*[,; ]\s*(?<lon>[+-]?\d+(?:\.\d+)*)\s*(?:[\])]|$)/';
- if (preg_match($pattern, $_POST['coordinates'], $matches))
+ if (preg_match($pattern, $vars['coordinates'], $matches))
{
if ($matches['lat'] >= -90 && $matches['lat'] <= 90 &&
$matches['lon'] >= -180 && $matches['lon'] <= 180)
@@ -41,10 +41,10 @@
$updated++;
}
}
- if (!$updated) { unset($_POST); } // If manual set, but coordinates wrong - reset edit
- //r($_POST);
+ if (!$updated) { unset($vars); } // If manual set, but coordinates wrong - reset edit
+ //r($vars);
}
- if ((bool)$device['location_manual'] && !(bool)$_POST['location_manual'])
+ if ((bool)$device['location_manual'] && !(bool)$vars['location_manual'])
{
// Reset manual flag, rediscover geo info
$update_geo['location_lat'] = array('NULL');
Index: html/pages/device/edit/graphs.inc.php
===================================================================
--- html/pages/device/edit/graphs.inc.php (revision 6204)
+++ html/pages/device/edit/graphs.inc.php (working copy)
@@ -23,7 +23,7 @@
$graphs_sections[$section][$graph] = (bool)$entry['enabled'];
}
-$graph = $_POST['toggle_graph'];
+$graph = $vars['toggle_graph'];
if ($graph && isset($graphs_db[$graph]) &&
!in_array($config['graph_types']['device'][$graph]['section'], array('poller', 'system')))
{
Index: html/pages/device/edit/icon.inc.php
===================================================================
--- html/pages/device/edit/icon.inc.php (revision 6204)
+++ html/pages/device/edit/icon.inc.php (working copy)
@@ -11,11 +11,11 @@
*
*/
-if ($_POST['editing'])
+if ($vars['editing'])
{
if ($_SESSION['userlevel'] > "7")
{
- $param = array('icon' => $_POST['icon']);
+ $param = array('icon' => $vars['icon']);
$rows_updated = dbUpdate($param, 'devices', '`device_id` = ?', array($device['device_id']));
Index: html/pages/device/edit/ipmi.inc.php
===================================================================
--- html/pages/device/edit/ipmi.inc.php (revision 6204)
+++ html/pages/device/edit/ipmi.inc.php (working copy)
@@ -11,7 +11,7 @@
*
*/
-if ($_POST['editing'])
+if ($vars['editing'])
{
if ($_SESSION['userlevel'] > 7)
{
Index: html/pages/device/edit/mibs.inc.php
===================================================================
--- html/pages/device/edit/mibs.inc.php (revision 6204)
+++ html/pages/device/edit/mibs.inc.php (working copy)
@@ -48,9 +48,9 @@
$attribs = get_dev_attribs($device['device_id']);
-if($_POST['toggle_mib'] && isset($mibs[$_POST['toggle_mib']]))
+if($vars['toggle_mib'] && isset($mibs[$vars['toggle_mib']]))
{
- $mib = $_POST['toggle_mib'];
+ $mib = $vars['toggle_mib'];
if (isset($attribs['mib_'.$mib]))
{
Index: html/pages/device/edit/modules.inc.php
===================================================================
--- html/pages/device/edit/modules.inc.php (revision 6204)
+++ html/pages/device/edit/modules.inc.php (working copy)
@@ -13,9 +13,9 @@
include($config['install_dir'] . '/includes/polling/functions.inc.php');
-if($_POST['toggle_poller'] && isset($config['poller_modules'][$_POST['toggle_poller']]))
+if($vars['toggle_poller'] && isset($config['poller_modules'][$vars['toggle_poller']]))
{
- $module = mres($_POST['toggle_poller']); # FIXME wtf mres?
+ $module = $vars['toggle_poller'];
if (isset($attribs['poll_'.$module]) && $attribs['poll_'.$module] != $config['poller_modules'][$module])
{
del_dev_attrib($device, 'poll_' . $module);
@@ -27,9 +27,9 @@
$attribs = get_dev_attribs($device['device_id']);
}
-if($_POST['toggle_ports'] && isset($config[$_POST['toggle_ports']]) && strpos($_POST['toggle_ports'], 'enable_ports_') === 0)
+if($vars['toggle_ports'] && isset($config[$vars['toggle_ports']]) && strpos($vars['toggle_ports'], 'enable_ports_') === 0)
{
- $module = mres($_POST['toggle_ports']); # FIXME wtf mres?
+ $module = $vars['toggle_ports'];
if (isset($attribs[$module]) && $attribs[$module] != $config[$module])
{
del_dev_attrib($device, $module);
@@ -41,9 +41,9 @@
$attribs = get_dev_attribs($device['device_id']);
}
-if($_POST['toggle_discovery'] && isset($config['discovery_modules'][$_POST['toggle_discovery']]))
+if($vars['toggle_discovery'] && isset($config['discovery_modules'][$vars['toggle_discovery']]))
{
- $module = mres($_POST['toggle_discovery']); # FIXME wtf mres?
+ $module = $vars['toggle_discovery'];
if (isset($attribs['discover_'.$module]) && $attribs['discover_'.$module] != $config['discovery_modules'][$module])
{
del_dev_attrib($device, 'discover_' . $module);
Index: html/pages/device/edit/netscaler_svcs.inc.php
===================================================================
--- html/pages/device/edit/netscaler_svcs.inc.php (revision 6204)
+++ html/pages/device/edit/netscaler_svcs.inc.php (working copy)
@@ -15,15 +15,15 @@
#print_vars($svcs);
-if ($_POST['submit'] == "update-svcs" && $_SESSION['userlevel'] == '10')
+if ($vars['submit'] == "update-svcs" && $_SESSION['userlevel'] == '10')
{
foreach ($svcs AS $svc)
{
- if ($_POST['svcs'][$svc['svc_id']]['svc_ignore'] == "on") { $_POST['svcs'][$svc['svc_id']]['svc_ignore'] = "1"; } else { $_POST['svcs'][$svc['svc_id']]['svc_ignore'] = "0"; }
+ if ($vars['svcs'][$svc['svc_id']]['svc_ignore'] == "on") { $vars['svcs'][$svc['svc_id']]['svc_ignore'] = "1"; } else { $vars['svcs'][$svc['svc_id']]['svc_ignore'] = "0"; }
foreach (array('svc_ignore','svc_limit_low','svc_limit') as $field)
{
- if ($_POST['svcs'][$svc['svc_id']][$field] != $svc[$field]) { $sup[$field] = $_POST['svcs'][$svc['svc_id']][$field]; }
+ if ($vars['svcs'][$svc['svc_id']][$field] != $svc[$field]) { $sup[$field] = $vars['svcs'][$svc['svc_id']][$field]; }
}
if (is_array($sup))
@@ -37,8 +37,6 @@
$svcs = dbFetchRows("SELECT * FROM `netscaler_services` WHERE `device_id` = ? ORDER BY `svc_label`", array($device['device_id']));
}
-#print_vars($_POST);
-
?>
<form id='update-svcs' name='update-svcs' method='post' action=''>
Index: html/pages/device/edit/netscaler_vsvrs.inc.php
===================================================================
--- html/pages/device/edit/netscaler_vsvrs.inc.php (revision 6204)
+++ html/pages/device/edit/netscaler_vsvrs.inc.php (working copy)
@@ -15,15 +15,15 @@
#print_r($vsvrs);
-if ($_POST['submit'] == "update-vsvrs" && $_SESSION['userlevel'] == '10')
+if ($vars['submit'] == "update-vsvrs" && $_SESSION['userlevel'] == '10')
{
foreach ($vsvrs AS $vsvr)
{
- if ($_POST['vsvrs'][$vsvr['vsvr_id']]['vsvr_ignore'] == "on") { $_POST['vsvrs'][$vsvr['vsvr_id']]['vsvr_ignore'] = "1"; } else { $_POST['vsvrs'][$vsvr['vsvr_id']]['vsvr_ignore'] = "0"; }
+ if ($vars['vsvrs'][$vsvr['vsvr_id']]['vsvr_ignore'] == "on") { $vars['vsvrs'][$vsvr['vsvr_id']]['vsvr_ignore'] = "1"; } else { $vars['vsvrs'][$vsvr['vsvr_id']]['vsvr_ignore'] = "0"; }
foreach (array('vsvr_ignore','vsvr_limit_low','vsvr_limit') as $field)
{
- if ($_POST['vsvrs'][$vsvr['vsvr_id']][$field] != $vsvr[$field]) { $sup[$field] = $_POST['vsvrs'][$vsvr['vsvr_id']][$field]; }
+ if ($vars['vsvrs'][$vsvr['vsvr_id']][$field] != $vsvr[$field]) { $sup[$field] = $vars['vsvrs'][$vsvr['vsvr_id']][$field]; }
}
if (is_array($sup))
@@ -37,8 +37,6 @@
$vsvrs = dbFetchRows("SELECT * FROM `netscaler_vservers` WHERE `device_id` = ? ORDER BY `vsvr_label`", array($device['device_id']));
}
-#print_vars($_POST);
-
?>
<form id='update-vsvrs' name='update-vsvrs' method='post' action=''>
Index: html/pages/device/edit/ports.inc.php
===================================================================
--- html/pages/device/edit/ports.inc.php (revision 6204)
+++ html/pages/device/edit/ports.inc.php (working copy)
@@ -11,7 +11,7 @@
*
*/
-if ($_POST['ignoreport'])
+if ($vars['ignoreport'])
{
if ($_SESSION['userlevel'] == '10')
{
Index: html/pages/device/edit/sensors.inc.php
===================================================================
--- html/pages/device/edit/sensors.inc.php (revision 6204)
+++ html/pages/device/edit/sensors.inc.php (working copy)
@@ -17,7 +17,7 @@
$warn_enable = ($debug ? TRUE: FALSE); // For enable edit warn limits, set this to TRUE
-if ($_POST['submit'] == "update-sensors" && $_SESSION['userlevel'] == '10')
+if ($vars['submit'] == "update-sensors" && $_SESSION['userlevel'] == '10')
{
$did_update = FALSE;
$update_array = array();
@@ -43,15 +43,15 @@
// Switch selectors
foreach ($fields_switch as $field)
{
- $_POST['sensors'][$sensor['sensor_id']][$field] = ($_POST['sensors'][$sensor['sensor_id']][$field] == 'on' ? '1' : '0');
- if ($_POST['sensors'][$sensor['sensor_id']][$field] != $sensor[$field])
+ $vars['sensors'][$sensor['sensor_id']][$field] = ($vars['sensors'][$sensor['sensor_id']][$field] == 'on' ? '1' : '0');
+ if ($vars['sensors'][$sensor['sensor_id']][$field] != $sensor[$field])
{
- $update_array[$field] = $_POST['sensors'][$sensor['sensor_id']][$field];
+ $update_array[$field] = $vars['sensors'][$sensor['sensor_id']][$field];
}
}
// Reset limits
- if ($_POST['sensors'][$sensor['sensor_id']]['sensor_reset_limit'])
+ if ($vars['sensors'][$sensor['sensor_id']]['sensor_reset_limit'])
{
$limits_reset_array[$sensor['sensor_class']][] = $sensor['sensor_descr'];
$update_array['sensor_limit_low'] = array('NULL');
@@ -61,15 +61,15 @@
}
// Limits
- if ($_POST['sensors'][$sensor['sensor_id']]['sensor_custom_limit'])
+ if ($vars['sensors'][$sensor['sensor_id']]['sensor_custom_limit'])
{
foreach ($fields_limit as $field)
{
- $_POST['sensors'][$sensor['sensor_id']][$field] = (!is_numeric($_POST['sensors'][$sensor['sensor_id']][$field]) ? array('NULL') : (float)$_POST['sensors'][$sensor['sensor_id']][$field]);
+ $vars['sensors'][$sensor['sensor_id']][$field] = (!is_numeric($vars['sensors'][$sensor['sensor_id']][$field]) ? array('NULL') : (float)$vars['sensors'][$sensor['sensor_id']][$field]);
$sensor[$field] = (!is_numeric($sensor[$field]) ? array('NULL') : (float)$sensor[$field]);
- if ($_POST['sensors'][$sensor['sensor_id']][$field] !== $sensor[$field])
+ if ($vars['sensors'][$sensor['sensor_id']][$field] !== $sensor[$field])
{
- $update_array[$field] = $_POST['sensors'][$sensor['sensor_id']][$field];
+ $update_array[$field] = $vars['sensors'][$sensor['sensor_id']][$field];
}
}
}
@@ -77,7 +77,7 @@
if (count($update_array))
{
dbUpdate($update_array, 'sensors', '`sensor_id` = ?', array($sensor['sensor_id']));
- $msg = 'Sensor updated (custom): '.mres($sensor['sensor_class']).' '.$sensor['sensor_type'].' '.$sensor['sensor_id'].' '.htmlentities($sensor['sensor_descr']).' ';
+ $msg = 'Sensor updated (custom): '.$sensor['sensor_class'].' '.$sensor['sensor_type'].' '.$sensor['sensor_id'].' '.htmlentities($sensor['sensor_descr']).' ';
if ($update_array['sensor_limit_low']) { $msg .= '[L: '.$update_array['sensor_limit_low'].']'; }
if ($update_array['sensor_limit_low_warn']) { $msg .= '[Lw: '.$update_array['sensor_limit_low_warn'].']'; }
if ($update_array['sensor_limit_warn']) { $msg .= '[Hw: '.$update_array['sensor_limit_warn'].']'; }
Index: html/pages/device/edit/services.inc.php
===================================================================
--- html/pages/device/edit/services.inc.php (revision 6204)
+++ html/pages/device/edit/services.inc.php (working copy)
@@ -13,13 +13,13 @@
echo('<div style="padding: 10px;">');
-if ($_POST['addsrv']) {
+if ($vars['addsrv']) {
if ($_SESSION['userlevel'] == '10') {
include("includes/service-add.inc.php");
}
}
-if ($_POST['delsrv']) {
+if ($vars['delsrv']) {
if ($_SESSION['userlevel'] == '10') {
include("includes/service-delete.inc.php");
}
Index: html/pages/device/edit/snmp.inc.php
===================================================================
--- html/pages/device/edit/snmp.inc.php (revision 6204)
+++ html/pages/device/edit/snmp.inc.php (working copy)
@@ -12,31 +12,31 @@
*/
$ok = FALSE;
-if ($_POST['editing'])
+if ($vars['editing'])
{
if ($_SESSION['userlevel'] > "7")
{
$update = array();
- switch ($_POST['snmpver'])
+ switch ($vars['snmpver'])
{
case 'v3':
- switch ($_POST['authlevel'])
+ switch ($vars['authlevel'])
{
case 'authPriv':
- if ($_POST['cryptoalgo'] == 'DES' || $_POST['cryptoalgo'] == 'AES')
+ if ($vars['cryptoalgo'] == 'DES' || $vars['cryptoalgo'] == 'AES')
{
$ok = TRUE;
- $update['cryptoalgo'] = $_POST['cryptoalgo'];
- $update['cryptopass'] = $_POST['cryptopass'];
+ $update['cryptoalgo'] = $vars['cryptoalgo'];
+ $update['cryptopass'] = $vars['cryptopass'];
}
// no break here
case 'authNoPriv':
- if ($_POST['authalgo'] == 'MD5' || $_POST['authalgo'] == 'SHA')
+ if ($vars['authalgo'] == 'MD5' || $vars['authalgo'] == 'SHA')
{
$ok = TRUE;
- $update['authalgo'] = $_POST['authalgo'];
- $update['authname'] = $_POST['authname'];
- $update['authpass'] = $_POST['authpass'];
+ $update['authalgo'] = $vars['authalgo'];
+ $update['authname'] = $vars['authname'];
+ $update['authpass'] = $vars['authpass'];
} else {
$ok = FALSE;
}
@@ -45,41 +45,41 @@
$ok = TRUE;
break;
}
- if ($ok) { $update['authlevel'] = $_POST['authlevel']; }
+ if ($ok) { $update['authlevel'] = $vars['authlevel']; }
break;
case 'v2c':
case 'v1':
- if (is_string($_POST['community']))
+ if (is_string($vars['community']))
{
$ok = TRUE;
- $update['community'] = $_POST['community'];
+ $update['community'] = $vars['community'];
}
break;
}
if ($ok)
{
- $update['snmpver'] = $_POST['snmpver'];
- if (in_array($_POST['transport'], $config['snmp']['transports']))
+ $update['snmpver'] = $vars['snmpver'];
+ if (in_array($vars['transport'], $config['snmp']['transports']))
{
- $update['transport'] = $_POST['transport'];
+ $update['transport'] = $vars['transport'];
} else {
$update['transport'] = 'udp';
}
- if (is_numeric($_POST['port']) && $_POST['port'] > 0 && $_POST['port'] <= 65535)
+ if (is_numeric($vars['port']) && $vars['port'] > 0 && $vars['port'] <= 65535)
{
- $update['port'] = (int)$_POST['port'];
+ $update['port'] = (int)$vars['port'];
} else {
$update['port'] = 161;
}
- if (is_numeric($_POST['timeout']) && $_POST['timeout'] > 0 && $_POST['timeout'] <= 120)
+ if (is_numeric($vars['timeout']) && $vars['timeout'] > 0 && $vars['timeout'] <= 120)
{
- $update['timeout'] = (int)$_POST['timeout'];
+ $update['timeout'] = (int)$vars['timeout'];
} else {
$update['timeout'] = array('NULL');
}
- if (is_numeric($_POST['retries']) && $_POST['retries'] > 0 && $_POST['retries'] <= 10)
+ if (is_numeric($vars['retries']) && $vars['retries'] > 0 && $vars['retries'] <= 10)
{
- $update['retries'] = (int)$_POST['retries'];
+ $update['retries'] = (int)$vars['retries'];
} else {
$update['retries'] = array('NULL');
}
Index: html/pages/device/edit/ssh.inc.php
===================================================================
--- html/pages/device/edit/ssh.inc.php (revision 6204)
+++ html/pages/device/edit/ssh.inc.php (working copy)
@@ -11,11 +11,11 @@
*
*/
-if ($_POST['editing'])
+if ($vars['editing'])
{
if ($_SESSION['userlevel'] > "7")
{
- $ssh_port = $_POST['ssh_port'];
+ $ssh_port = $vars['ssh_port'];
if (!is_numeric($ssh_port))
{
Index: html/pages/device/edit/wmi.inc.php
===================================================================
--- html/pages/device/edit/wmi.inc.php (revision 6204)
+++ html/pages/device/edit/wmi.inc.php (working copy)
@@ -11,17 +11,17 @@
*
*/
-if ($_POST['editing'])
+if ($vars['editing'])
{
if ($_SESSION['userlevel'] > "7")
{
- $wmi_override = $_POST['wmi_override'];
+ $wmi_override = $vars['wmi_override'];
if ($wmi_override)
{
- $wmi_hostname = $_POST['wmi_hostname'];
- $wmi_domain = $_POST['wmi_domain'];
- $wmi_username = $_POST['wmi_username'];
- $wmi_password = $_POST['wmi_password'];
+ $wmi_hostname = $vars['wmi_hostname'];
+ $wmi_domain = $vars['wmi_domain'];
+ $wmi_username = $vars['wmi_username'];
+ $wmi_password = $vars['wmi_password'];
}
if ($wmi_override) { set_dev_attrib($device, 'wmi_override', $wmi_override); } else { del_dev_attrib($device, 'wmi_override'); }
@@ -39,13 +39,13 @@
}
}
-if($_POST['toggle_poller'] && isset($GLOBALS['config']['wmi']['modules'][$_POST['toggle_poller']]))
+if($vars['toggle_poller'] && isset($GLOBALS['config']['wmi']['modules'][$vars['toggle_poller']]))
{
- $module = $_POST['toggle_poller'];
- if (isset($attribs['wmi_poll_'.$module]) && $attribs['wmi_poll_'.$module] != $GLOBALS['config']['wmi']['modules'][$_POST['toggle_poller']])
+ $module = $vars['toggle_poller'];
+ if (isset($attribs['wmi_poll_'.$module]) && $attribs['wmi_poll_'.$module] != $GLOBALS['config']['wmi']['modules'][$vars['toggle_poller']])
{
del_dev_attrib($device, 'wmi_poll_' . $module);
- } elseif ($GLOBALS['config']['wmi']['modules'][$_POST['toggle_poller']] == 0) {
+ } elseif ($GLOBALS['config']['wmi']['modules'][$vars['toggle_poller']] == 0) {
set_dev_attrib($device, 'wmi_poll_' . $module, "1");
} else {
set_dev_attrib($device, 'wmi_poll_' . $module, "0");
Index: html/pages/device/overview/information.inc.php
===================================================================
--- html/pages/device/overview/information.inc.php (revision 6204)
+++ html/pages/device/overview/information.inc.php (working copy)
@@ -19,7 +19,7 @@
if ($config['overview_show_sysDescr'])
{
- echo('<div style="font-family: courier, serif; margin: 3px"><strong>' . $device['sysDescr'] . "</strong></div>");
+ echo('<div style="font-family: courier, serif; margin: 3px"><strong>' . escape_html($device['sysDescr']) . "</strong></div>");
}
if ($device['os'] == "ios") { formatCiscoHardware($device); } // FIXME or do this in a general function for all OS types with a switch($device['os']) ?
Index: html/pages/edituser.inc.php
===================================================================
--- html/pages/edituser.inc.php (revision 6204)
+++ html/pages/edituser.inc.php (working copy)
@@ -46,7 +46,7 @@
echo("<option value='" . $user_entry['user_id'] . "'");
if ($user_entry['user_id'] == $vars['user_id']) { echo(' selected '); }
#echo(" onchange=\"location.href='edituser/user_id=' + this.options[this.selectedIndex].value + '/';\" ");
- echo(">" . $user_entry['username'] . "</option>");
+ echo(">" . escape_html($user_entry['username']) . "</option>");
}
echo('</select>
@@ -66,7 +66,7 @@
if (auth_usermanagement() && $vars['user_id'] !== $_SESSION['user_id'])
{
echo('<ul class="nav pull-right">');
- echo('<li><a href="'.generate_url(array('page'=>'edituser', 'action'=>'deleteuser', 'user_id'=>$vars['user_id'])).'"><i class="oicon-cross-button"></i> Delete User</a></li>');
+ echo('<li><a href="'.generate_url(array('page' => 'edituser', 'action' => 'deleteuser', 'user_id' => $vars['user_id'])).'"><i class="oicon-cross-button"></i> Delete User</a></li>');
echo('</ul>');
}
}
@@ -89,13 +89,13 @@
if (auth_can_change_password($user_data['username']) && $vars['action'] == "changepass")
{
- if ($_POST['new_pass'] == "" || $_POST['new_pass2'] == "")
+ if ($vars['new_pass'] == "" || $vars['new_pass2'] == "")
{
print_warning("Password cannot be blank.");
}
- elseif ($_POST['new_pass'] == $_POST['new_pass2'])
+ elseif ($vars['new_pass'] == $vars['new_pass2'])
{
- auth_change_password($user_data['username'], $_POST['new_pass']);
+ auth_change_password($user_data['username'], $vars['new_pass']);
print_message("Password Changed.");
} else {
print_error("Passwords don't match!");
@@ -142,7 +142,7 @@
<table class="table table-bordered table-striped table-condensed">
<tr>
<th>Username</th>
- <td><?php echo($user_data['username']); ?></td>
+ <td><?php echo(escape_html($user_data['username'])); ?></td>
<th>User Level</th>
<td><?php echo($user_data['level']); ?></td>
</tr>
Index: html/pages/edituser/deleteuser.inc.php
===================================================================
--- html/pages/edituser/deleteuser.inc.php (revision 6204)
+++ html/pages/edituser/deleteuser.inc.php (working copy)
@@ -27,12 +27,12 @@
{
if (deluser($delete_username))
{
- print_success('User "' . $delete_username . '" deleted!');
+ print_success('User "' . escape_html($delete_username) . '" deleted!');
} else {
- print_error('Error deleting user "' . $delete_username . '"!');
+ print_error('Error deleting user "' . escape_html($delete_username) . '"!');
}
} else {
- print_error('You have requested deletion of the user "' . $delete_username . '". This action can not be reversed.<br /><a href="edituser/action=deleteuser/user_id=' . $vars['user_id'] . '/confirm=yes/">Click to confirm</a>');
+ print_error('You have requested deletion of the user "' . escape_html($delete_username) . '". This action can not be reversed.<br /><a href="edituser/action=deleteuser/user_id=' . $vars['user_id'] . '/confirm=yes/">Click to confirm</a>');
}
}
} else {
Index: html/pages/group_add.inc.php
===================================================================
--- html/pages/group_add.inc.php (revision 6204)
+++ html/pages/group_add.inc.php (working copy)
@@ -33,7 +33,7 @@
foreach (array('entity_type', 'group_name', 'group_descr',
'assoc_device_conditions', 'assoc_entity_conditions') as $var)
{
- if (!isset($_POST[$var]) || strlen($_POST[$var]) == '0') { echo("Missing required data.</div>"); break 2; }
+ if (!isset($vars[$var]) || strlen($vars[$var]) == '0') { echo("Missing required data.</div>"); break 2; }
}
$group_array = array();
Index: html/pages/ports.inc.php
===================================================================
--- html/pages/ports.inc.php (revision 6204)
+++ html/pages/ports.inc.php (working copy)
@@ -37,7 +37,7 @@
{
echo(' <option value="'.$data['device_id'].'"');
if ($data['device_id'] == $vars['device_id'] || in_array($data['device_id'], $vars['device_id']) ) { echo(' selected'); }
- echo('>'.$data['hostname'].'</option>');
+ echo('>'.escape_html($data['hostname']).'</option>');
}
}
?>
@@ -169,7 +169,7 @@
{
if ($location === '') { $location = OBS_VAR_UNSET; }
$value = var_encode($location);
- $name = htmlspecialchars($location);
+ $name = escape_html($location);
echo('<option value="'.$value.'"');
if (in_array($location, $vars['location'])) { echo(" selected"); }
echo(">" . $name . "</option>");
Index: html/pages/preferences.inc.php
===================================================================
--- html/pages/preferences.inc.php (revision 6204)
+++ html/pages/preferences.inc.php (working copy)
@@ -14,17 +14,17 @@
$pagetitle[] = "User preferences";
// Change password
-if ($_POST['password'] == "save")
+if ($vars['password'] == "save")
{
- if (authenticate($_SESSION['username'],$_POST['old_pass']))
+ if (authenticate($_SESSION['username'], $vars['old_pass']))
{
- if ($_POST['new_pass'] == "" || $_POST['new_pass2'] == "")
+ if ($vars['new_pass'] == "" || $vars['new_pass2'] == "")
{
print_warning("Password must not be blank.");
}
- elseif ($_POST['new_pass'] == $_POST['new_pass2'])
+ elseif ($vars['new_pass'] == $vars['new_pass2'])
{
- auth_change_password($_SESSION['username'], $_POST['new_pass']);
+ auth_change_password($_SESSION['username'], $vars['new_pass']);
print_success("Password Changed.");
}
else
@@ -43,7 +43,7 @@
$prefs = get_user_prefs($user_id);
// Reset RSS/Atom key
- if ($_POST['atom_key'] == "toggle")
+ if ($vars['atom_key'] == "toggle")
{
if (set_user_pref($user_id, 'atom_key', md5(strgen())))
{
@@ -55,7 +55,7 @@
}
// Reset API key
- if ($_POST['api_key'] == "toggle")
+ if ($vars['api_key'] == "toggle")
{
if (set_user_pref($user_id, 'api_key', md5(strgen())))
{
Index: includes/common.inc.php
===================================================================
--- includes/common.inc.php (revision 6204)
+++ includes/common.inc.php (working copy)
@@ -1326,6 +1326,13 @@
// DOCME needs phpdoc block
// TESTME needs unit testing
+function escape_html($string)
+{
+ return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
+}
+
+// DOCME needs phpdoc block
+// TESTME needs unit testing
// MOVEME to includes/functions.inc.php
function getifhost($id)
{