1 diff -ruBbd cacti-0.8.6i/cmd.php cacti-0.8.6i-patch/cmd.php
2 --- cacti-0.8.6i/cmd.php 2006-10-09 00:06:00.000000000 -0400
3 +++ cacti-0.8.6i-patch/cmd.php 2007-01-01 12:27:15.328125000 -0500
7 /* do NOT run this script through a web browser */
8 -if (!isset($_SERVER["argv"][0])) {
9 +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
10 die("<br><strong>This script is only meant to run at the command line.</strong>");
14 $print_data_to_stdout = false;
15 if ($_SERVER["argc"] == "3") {
16 if ($_SERVER["argv"][1] <= $_SERVER["argv"][2]) {
17 + /* address potential exploits */
18 + input_validate_input_number($_SERVER["argv"][1]);
19 + input_validate_input_number($_SERVER["argv"][2]);
21 $hosts = db_fetch_assoc("select * from host where (disabled = '' and " .
24 diff -ruBbd cacti-0.8.6i/copy_cacti_user.php cacti-0.8.6i-patch/copy_cacti_user.php
25 --- cacti-0.8.6i/copy_cacti_user.php 2006-10-09 00:06:00.000000000 -0400
26 +++ cacti-0.8.6i-patch/copy_cacti_user.php 2007-01-01 12:27:15.312500000 -0500
30 /* do NOT run this script through a web browser */
31 -if (! isset($_SERVER["argv"][0])) {
32 - die("This script is only meant to run at the command line.\n");
33 +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
34 + die("<br><strong>This script is only meant to run at the command line.</strong>");
37 if (empty($_SERVER["argv"][2])) {
38 die("\nSyntax:\n php copy_cacti_user.php <template user> <new user>\n\n");
40 diff -ruBbd cacti-0.8.6i/include/html/inc_timespan_settings.php cacti-0.8.6i-patch/include/html/inc_timespan_settings.php
41 --- cacti-0.8.6i/include/html/inc_timespan_settings.php 2006-10-09 00:05:58.000000000 -0400
42 +++ cacti-0.8.6i-patch/include/html/inc_timespan_settings.php 2007-01-02 11:55:45.953125000 -0500
44 +-------------------------------------------------------------------------+
47 +/* ================= input validation ================= */
48 +input_validate_input_number(get_request_var_request("predefined_timespan"));
49 +/* ==================================================== */
51 +/* clean up date1 string */
52 +if (isset($_REQUEST["date1"])) {
53 + $_REQUEST["date1"] = sanitize_search_string(get_request_var("date1"));
56 +/* clean up date2 string */
57 +if (isset($_REQUEST["date2"])) {
58 + $_REQUEST["date2"] = sanitize_search_string(get_request_var("date2"));
61 /* initialize the timespan array */
64 diff -ruBbd cacti-0.8.6i/poller.php cacti-0.8.6i-patch/poller.php
65 --- cacti-0.8.6i/poller.php 2006-10-09 00:06:00.000000000 -0400
66 +++ cacti-0.8.6i-patch/poller.php 2007-01-01 12:27:15.328125000 -0500
70 /* do NOT run this script through a web browser */
71 -if (!isset($_SERVER["argv"][0])) {
72 +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
73 die("<br><strong>This script is only meant to run at the command line.</strong>");
76 diff -ruBbd cacti-0.8.6i/poller_commands.php cacti-0.8.6i-patch/poller_commands.php
77 --- cacti-0.8.6i/poller_commands.php 2006-10-09 00:06:00.000000000 -0400
78 +++ cacti-0.8.6i-patch/poller_commands.php 2007-01-01 12:27:15.328125000 -0500
80 define("MAX_RECACHE_RUNTIME", 296);
82 /* do NOT run this script through a web browser */
83 -if (!isset($_SERVER["argv"][0])) {
84 +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
85 die("<br><strong>This script is only meant to run at the command line.</strong>");
88 diff -ruBbd cacti-0.8.6i/poller_export.php cacti-0.8.6i-patch/poller_export.php
89 --- cacti-0.8.6i/poller_export.php 2006-10-09 00:06:00.000000000 -0400
90 +++ cacti-0.8.6i-patch/poller_export.php 2007-01-01 12:27:15.328125000 -0500
94 /* do NOT run this script through a web browser */
95 -if (!isset($_SERVER["argv"][0])) {
96 +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
97 die("<br><strong>This script is only meant to run at the command line.</strong>");
100 diff -ruBbd cacti-0.8.6i/poller_reindex_hosts.php cacti-0.8.6i-patch/poller_reindex_hosts.php
101 --- cacti-0.8.6i/poller_reindex_hosts.php 2006-10-09 00:06:00.000000000 -0400
102 +++ cacti-0.8.6i-patch/poller_reindex_hosts.php 2007-01-01 12:27:15.328125000 -0500
106 /* do NOT run this script through a web browser */
107 -if (!isset($_SERVER["argv"][0])) {
108 +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
109 die("<br><strong>This script is only meant to run at the command line.</strong>");
112 diff -ruBbd cacti-0.8.6i/rebuild_poller_cache.php cacti-0.8.6i-patch/rebuild_poller_cache.php
113 --- cacti-0.8.6i/rebuild_poller_cache.php 2006-10-09 00:06:00.000000000 -0400
114 +++ cacti-0.8.6i-patch/rebuild_poller_cache.php 2007-01-01 12:27:15.312500000 -0500
118 /* do NOT run this script through a web browser */
119 -if (!isset($_SERVER["argv"][0])) {
120 +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
121 die("<br><strong>This script is only meant to run at the command line.</strong>");
124 diff -ruBbd cacti-0.8.6i/script_server.php cacti-0.8.6i-patch/script_server.php
125 --- cacti-0.8.6i/script_server.php 2006-10-09 00:06:00.000000000 -0400
126 +++ cacti-0.8.6i-patch/script_server.php 2007-01-01 12:27:15.312500000 -0500
128 $no_http_headers = true;
130 /* do NOT run this script through a web browser */
131 -if (!isset($_SERVER["argv"][0])) {
132 +if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
133 die("<br><strong>This script is only meant to run at the command line.</strong>");
137 /* define STDOUT/STDIN file descriptors if not running under CLI */