]>
Commit | Line | Data |
---|---|---|
6a573b99 AM |
1 | diff -ruBbd cacti-0.8.6i/cmd.php cacti-0.8.6i-patch/cmd.php |
2 | --- cacti-0.8.6i/cmd.php 2006-10-09 00:06:00.000000000 -0400 | |
3 | +++ cacti-0.8.6i-patch/cmd.php 2007-01-01 12:27:15.328125000 -0500 | |
4 | @@ -26,7 +26,7 @@ | |
5 | */ | |
6 | ||
7 | /* do NOT run this script through a web browser */ | |
8 | -if (!isset($_SERVER["argv"][0])) { | |
9 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
10 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
11 | } | |
12 | ||
13 | @@ -70,6 +71,10 @@ | |
14 | $print_data_to_stdout = false; | |
15 | if ($_SERVER["argc"] == "3") { | |
16 | if ($_SERVER["argv"][1] <= $_SERVER["argv"][2]) { | |
17 | + /* address potential exploits */ | |
18 | + input_validate_input_number($_SERVER["argv"][1]); | |
19 | + input_validate_input_number($_SERVER["argv"][2]); | |
20 | + | |
21 | $hosts = db_fetch_assoc("select * from host where (disabled = '' and " . | |
22 | "id >= " . | |
23 | $_SERVER["argv"][1] . | |
24 | diff -ruBbd cacti-0.8.6i/copy_cacti_user.php cacti-0.8.6i-patch/copy_cacti_user.php | |
25 | --- cacti-0.8.6i/copy_cacti_user.php 2006-10-09 00:06:00.000000000 -0400 | |
26 | +++ cacti-0.8.6i-patch/copy_cacti_user.php 2007-01-01 12:27:15.312500000 -0500 | |
27 | @@ -25,9 +25,10 @@ | |
28 | */ | |
29 | ||
30 | /* do NOT run this script through a web browser */ | |
31 | -if (! isset($_SERVER["argv"][0])) { | |
32 | - die("This script is only meant to run at the command line.\n"); | |
33 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
34 | + die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
35 | } | |
36 | + | |
37 | if (empty($_SERVER["argv"][2])) { | |
38 | die("\nSyntax:\n php copy_cacti_user.php <template user> <new user>\n\n"); | |
39 | } | |
40 | diff -ruBbd cacti-0.8.6i/include/html/inc_timespan_settings.php cacti-0.8.6i-patch/include/html/inc_timespan_settings.php | |
41 | --- cacti-0.8.6i/include/html/inc_timespan_settings.php 2006-10-09 00:05:58.000000000 -0400 | |
42 | +++ cacti-0.8.6i-patch/include/html/inc_timespan_settings.php 2007-01-02 11:55:45.953125000 -0500 | |
43 | @@ -24,6 +24,20 @@ | |
44 | +-------------------------------------------------------------------------+ | |
45 | */ | |
46 | ||
47 | +/* ================= input validation ================= */ | |
48 | +input_validate_input_number(get_request_var_request("predefined_timespan")); | |
49 | +/* ==================================================== */ | |
50 | + | |
51 | +/* clean up date1 string */ | |
52 | +if (isset($_REQUEST["date1"])) { | |
53 | + $_REQUEST["date1"] = sanitize_search_string(get_request_var("date1")); | |
54 | +} | |
55 | + | |
56 | +/* clean up date2 string */ | |
57 | +if (isset($_REQUEST["date2"])) { | |
58 | + $_REQUEST["date2"] = sanitize_search_string(get_request_var("date2")); | |
59 | +} | |
60 | + | |
61 | /* initialize the timespan array */ | |
62 | $timespan = array(); | |
63 | ||
64 | diff -ruBbd cacti-0.8.6i/poller.php cacti-0.8.6i-patch/poller.php | |
65 | --- cacti-0.8.6i/poller.php 2006-10-09 00:06:00.000000000 -0400 | |
66 | +++ cacti-0.8.6i-patch/poller.php 2007-01-01 12:27:15.328125000 -0500 | |
67 | @@ -26,7 +26,7 @@ | |
68 | */ | |
69 | ||
70 | /* do NOT run this script through a web browser */ | |
71 | -if (!isset($_SERVER["argv"][0])) { | |
72 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
73 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
74 | } | |
75 | ||
76 | diff -ruBbd cacti-0.8.6i/poller_commands.php cacti-0.8.6i-patch/poller_commands.php | |
77 | --- cacti-0.8.6i/poller_commands.php 2006-10-09 00:06:00.000000000 -0400 | |
78 | +++ cacti-0.8.6i-patch/poller_commands.php 2007-01-01 12:27:15.328125000 -0500 | |
79 | @@ -27,7 +27,7 @@ | |
80 | define("MAX_RECACHE_RUNTIME", 296); | |
81 | ||
82 | /* do NOT run this script through a web browser */ | |
83 | -if (!isset($_SERVER["argv"][0])) { | |
84 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
85 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
86 | } | |
87 | ||
88 | diff -ruBbd cacti-0.8.6i/poller_export.php cacti-0.8.6i-patch/poller_export.php | |
89 | --- cacti-0.8.6i/poller_export.php 2006-10-09 00:06:00.000000000 -0400 | |
90 | +++ cacti-0.8.6i-patch/poller_export.php 2007-01-01 12:27:15.328125000 -0500 | |
91 | @@ -25,7 +25,7 @@ | |
92 | */ | |
93 | ||
94 | /* do NOT run this script through a web browser */ | |
95 | -if (!isset($_SERVER["argv"][0])) { | |
96 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
97 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
98 | } | |
99 | ||
100 | diff -ruBbd cacti-0.8.6i/poller_reindex_hosts.php cacti-0.8.6i-patch/poller_reindex_hosts.php | |
101 | --- cacti-0.8.6i/poller_reindex_hosts.php 2006-10-09 00:06:00.000000000 -0400 | |
102 | +++ cacti-0.8.6i-patch/poller_reindex_hosts.php 2007-01-01 12:27:15.328125000 -0500 | |
103 | @@ -25,7 +25,7 @@ | |
104 | */ | |
105 | ||
106 | /* do NOT run this script through a web browser */ | |
107 | -if (!isset($_SERVER["argv"][0])) { | |
108 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
109 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
110 | } | |
111 | ||
112 | diff -ruBbd cacti-0.8.6i/rebuild_poller_cache.php cacti-0.8.6i-patch/rebuild_poller_cache.php | |
113 | --- cacti-0.8.6i/rebuild_poller_cache.php 2006-10-09 00:06:00.000000000 -0400 | |
114 | +++ cacti-0.8.6i-patch/rebuild_poller_cache.php 2007-01-01 12:27:15.312500000 -0500 | |
115 | @@ -25,7 +25,7 @@ | |
116 | */ | |
117 | ||
118 | /* do NOT run this script through a web browser */ | |
119 | -if (!isset($_SERVER["argv"][0])) { | |
120 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
121 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
122 | } | |
123 | ||
124 | diff -ruBbd cacti-0.8.6i/script_server.php cacti-0.8.6i-patch/script_server.php | |
125 | --- cacti-0.8.6i/script_server.php 2006-10-09 00:06:00.000000000 -0400 | |
126 | +++ cacti-0.8.6i-patch/script_server.php 2007-01-01 12:27:15.312500000 -0500 | |
127 | @@ -26,9 +26,8 @@ | |
128 | $no_http_headers = true; | |
129 | ||
130 | /* do NOT run this script through a web browser */ | |
131 | -if (!isset($_SERVER["argv"][0])) { | |
132 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
133 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
134 | - exit(-1); | |
135 | } | |
136 | ||
137 | /* define STDOUT/STDIN file descriptors if not running under CLI */ |