projects / packages / cacti.git / blame
| Commit | Line | Data |
|---|---|---|
| 6a573b99 AM |
1 | diff -ruBbd cacti-0.8.6i/cmd.php cacti-0.8.6i-patch/cmd.php |
| 2 | --- cacti-0.8.6i/cmd.php 2006-10-09 00:06:00.000000000 -0400 | |
| 3 | +++ cacti-0.8.6i-patch/cmd.php 2007-01-01 12:27:15.328125000 -0500 | |
| 4 | @@ -26,7 +26,7 @@ | |
| 5 | */ | |
| 6 | ||
| 7 | /* do NOT run this script through a web browser */ | |
| 8 | -if (!isset($_SERVER["argv"][0])) { | |
| 9 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
| 10 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
| 11 | } | |
| 12 | ||
| 13 | @@ -70,6 +71,10 @@ | |
| 14 | $print_data_to_stdout = false; | |
| 15 | if ($_SERVER["argc"] == "3") { | |
| 16 | if ($_SERVER["argv"][1] <= $_SERVER["argv"][2]) { | |
| 17 | + /* address potential exploits */ | |
| 18 | + input_validate_input_number($_SERVER["argv"][1]); | |
| 19 | + input_validate_input_number($_SERVER["argv"][2]); | |
| 20 | + | |
| 21 | $hosts = db_fetch_assoc("select * from host where (disabled = '' and " . | |
| 22 | "id >= " . | |
| 23 | $_SERVER["argv"][1] . | |
| 24 | diff -ruBbd cacti-0.8.6i/copy_cacti_user.php cacti-0.8.6i-patch/copy_cacti_user.php | |
| 25 | --- cacti-0.8.6i/copy_cacti_user.php 2006-10-09 00:06:00.000000000 -0400 | |
| 26 | +++ cacti-0.8.6i-patch/copy_cacti_user.php 2007-01-01 12:27:15.312500000 -0500 | |
| 27 | @@ -25,9 +25,10 @@ | |
| 28 | */ | |
| 29 | ||
| 30 | /* do NOT run this script through a web browser */ | |
| 31 | -if (! isset($_SERVER["argv"][0])) { | |
| 32 | - die("This script is only meant to run at the command line.\n"); | |
| 33 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
| 34 | + die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
| 35 | } | |
| 36 | + | |
| 37 | if (empty($_SERVER["argv"][2])) { | |
| 38 | die("\nSyntax:\n php copy_cacti_user.php <template user> <new user>\n\n"); | |
| 39 | } | |
| 40 | diff -ruBbd cacti-0.8.6i/include/html/inc_timespan_settings.php cacti-0.8.6i-patch/include/html/inc_timespan_settings.php | |
| 41 | --- cacti-0.8.6i/include/html/inc_timespan_settings.php 2006-10-09 00:05:58.000000000 -0400 | |
| 42 | +++ cacti-0.8.6i-patch/include/html/inc_timespan_settings.php 2007-01-02 11:55:45.953125000 -0500 | |
| 43 | @@ -24,6 +24,20 @@ | |
| 44 | +-------------------------------------------------------------------------+ | |
| 45 | */ | |
| 46 | ||
| 47 | +/* ================= input validation ================= */ | |
| 48 | +input_validate_input_number(get_request_var_request("predefined_timespan")); | |
| 49 | +/* ==================================================== */ | |
| 50 | + | |
| 51 | +/* clean up date1 string */ | |
| 52 | +if (isset($_REQUEST["date1"])) { | |
| 53 | + $_REQUEST["date1"] = sanitize_search_string(get_request_var("date1")); | |
| 54 | +} | |
| 55 | + | |
| 56 | +/* clean up date2 string */ | |
| 57 | +if (isset($_REQUEST["date2"])) { | |
| 58 | + $_REQUEST["date2"] = sanitize_search_string(get_request_var("date2")); | |
| 59 | +} | |
| 60 | + | |
| 61 | /* initialize the timespan array */ | |
| 62 | $timespan = array(); | |
| 63 | ||
| 64 | diff -ruBbd cacti-0.8.6i/poller.php cacti-0.8.6i-patch/poller.php | |
| 65 | --- cacti-0.8.6i/poller.php 2006-10-09 00:06:00.000000000 -0400 | |
| 66 | +++ cacti-0.8.6i-patch/poller.php 2007-01-01 12:27:15.328125000 -0500 | |
| 67 | @@ -26,7 +26,7 @@ | |
| 68 | */ | |
| 69 | ||
| 70 | /* do NOT run this script through a web browser */ | |
| 71 | -if (!isset($_SERVER["argv"][0])) { | |
| 72 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
| 73 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
| 74 | } | |
| 75 | ||
| 76 | diff -ruBbd cacti-0.8.6i/poller_commands.php cacti-0.8.6i-patch/poller_commands.php | |
| 77 | --- cacti-0.8.6i/poller_commands.php 2006-10-09 00:06:00.000000000 -0400 | |
| 78 | +++ cacti-0.8.6i-patch/poller_commands.php 2007-01-01 12:27:15.328125000 -0500 | |
| 79 | @@ -27,7 +27,7 @@ | |
| 80 | define("MAX_RECACHE_RUNTIME", 296); | |
| 81 | ||
| 82 | /* do NOT run this script through a web browser */ | |
| 83 | -if (!isset($_SERVER["argv"][0])) { | |
| 84 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
| 85 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
| 86 | } | |
| 87 | ||
| 88 | diff -ruBbd cacti-0.8.6i/poller_export.php cacti-0.8.6i-patch/poller_export.php | |
| 89 | --- cacti-0.8.6i/poller_export.php 2006-10-09 00:06:00.000000000 -0400 | |
| 90 | +++ cacti-0.8.6i-patch/poller_export.php 2007-01-01 12:27:15.328125000 -0500 | |
| 91 | @@ -25,7 +25,7 @@ | |
| 92 | */ | |
| 93 | ||
| 94 | /* do NOT run this script through a web browser */ | |
| 95 | -if (!isset($_SERVER["argv"][0])) { | |
| 96 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
| 97 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
| 98 | } | |
| 99 | ||
| 100 | diff -ruBbd cacti-0.8.6i/poller_reindex_hosts.php cacti-0.8.6i-patch/poller_reindex_hosts.php | |
| 101 | --- cacti-0.8.6i/poller_reindex_hosts.php 2006-10-09 00:06:00.000000000 -0400 | |
| 102 | +++ cacti-0.8.6i-patch/poller_reindex_hosts.php 2007-01-01 12:27:15.328125000 -0500 | |
| 103 | @@ -25,7 +25,7 @@ | |
| 104 | */ | |
| 105 | ||
| 106 | /* do NOT run this script through a web browser */ | |
| 107 | -if (!isset($_SERVER["argv"][0])) { | |
| 108 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
| 109 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
| 110 | } | |
| 111 | ||
| 112 | diff -ruBbd cacti-0.8.6i/rebuild_poller_cache.php cacti-0.8.6i-patch/rebuild_poller_cache.php | |
| 113 | --- cacti-0.8.6i/rebuild_poller_cache.php 2006-10-09 00:06:00.000000000 -0400 | |
| 114 | +++ cacti-0.8.6i-patch/rebuild_poller_cache.php 2007-01-01 12:27:15.312500000 -0500 | |
| 115 | @@ -25,7 +25,7 @@ | |
| 116 | */ | |
| 117 | ||
| 118 | /* do NOT run this script through a web browser */ | |
| 119 | -if (!isset($_SERVER["argv"][0])) { | |
| 120 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
| 121 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
| 122 | } | |
| 123 | ||
| 124 | diff -ruBbd cacti-0.8.6i/script_server.php cacti-0.8.6i-patch/script_server.php | |
| 125 | --- cacti-0.8.6i/script_server.php 2006-10-09 00:06:00.000000000 -0400 | |
| 126 | +++ cacti-0.8.6i-patch/script_server.php 2007-01-01 12:27:15.312500000 -0500 | |
| 127 | @@ -26,9 +26,8 @@ | |
| 128 | $no_http_headers = true; | |
| 129 | ||
| 130 | /* do NOT run this script through a web browser */ | |
| 131 | -if (!isset($_SERVER["argv"][0])) { | |
| 132 | +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) { | |
| 133 | die("<br><strong>This script is only meant to run at the command line.</strong>"); | |
| 134 | - exit(-1); | |
| 135 | } | |
| 136 | ||
| 137 | /* define STDOUT/STDIN file descriptors if not running under CLI */ |