From: Grzegorz Sterniczuk <grzegorz@sterniczuk.eu>
Date: Wed, 21 Nov 2007 11:06:34 +0000 (+0000)
Subject: - new security patch for cacti 0.8.6j
X-Git-Tag: auto/ac/cacti-0_8_6j-6~1
X-Git-Url: http://git.pld-linux.org/?a=commitdiff_plain;h=ba60752839b2228fd450b45df634d5bc82672dde;hp=4d7c997df5480ecdfe62c100d120a82deac6579c;p=packages%2Fcacti.git

- new security patch for cacti 0.8.6j

Changed files:
    sec_sql_injection-0.8.6j.patch -> 1.1
---

diff --git a/sec_sql_injection-0.8.6j.patch b/sec_sql_injection-0.8.6j.patch
new file mode 100644
index 0000000..37b2838
--- /dev/null
+++ b/sec_sql_injection-0.8.6j.patch
@@ -0,0 +1,14 @@
+diff -ruBbdN cacti-0.8.6j/include/top_graph_header.php cacti-0.8.6j-patched/include/top_graph_header.php
+--- cacti-0.8.6j/include/top_graph_header.php	2007-01-17 19:23:10.000000000 -0500
++++ cacti-0.8.6j-patched/include/top_graph_header.php	2007-11-03 12:53:46.000000000 -0400
+@@ -27,6 +27,10 @@
+ $using_guest_account = false;
+ $show_console_tab = true;
+ 
++/* ================= input validation ================= */
++input_validate_input_number(get_request_var_request("local_graph_id"));
++/* ==================================================== */
++
+ if (read_config_option("global_auth") == "on") {
+ 	/* at this point this user is good to go... so get some setting about this
+ 	user and put them into variables to save excess SQL in the future */