Private GIT

Skip to content
Snippets Groups Projects
Commit fb438e6a authored by Maximilien Bersoult's avatar Maximilien Bersoult Committed by Stephane Chapron
Browse files

fix(sec): Fix execution command by rrdtool command line 

* Fix execution command by rrdtool command line in Virtual Metrics
* Fix execution command by rrdtool command line in graph images
parent 693edc24
Branches security-fix-virtual-metrics
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
www/class/centreonGraph.class.php
+ 47
41
View file @ fb438e6a
...@@ -749,10 +749,8 @@ class CentreonGraph ...@@ -749,10 +749,8 @@ class CentreonGraph
$this->RRDoptions["upper-limit"] $this->RRDoptions["upper-limit"]
); );
} }
$this->addArgument( $this->addArgument('DEF:vi' . $cpt . '=' . $this->dbPath . $key . '.rrd:value:AVERAGE');
"DEF:vi" . $cpt . "=" . $this->dbPath . $key . ".rrd:value:AVERAGE CDEF:v" . $cpt . $this->addArgument('CDEF:v' . $cpt . '=vi' . $cpt . ',-1,*');
"=vi" . $cpt . ",-1,*"
);
if (isset($tm["warn"]) && $tm["warn"] != 0) { if (isset($tm["warn"]) && $tm["warn"] != 0) {
$tm["warn"] *= -1; $tm["warn"] *= -1;
} }
...@@ -880,7 +878,14 @@ class CentreonGraph ...@@ -880,7 +878,14 @@ class CentreonGraph
} }
$rpn_values .= $this->vname[$tm["metric"]] . ",UN,0," . $this->vname[$tm["metric"]] . ",IF,"; $rpn_values .= $this->vname[$tm["metric"]] . ",UN,0," . $this->vname[$tm["metric"]] . ",IF,";
$rpn_expr .= ",+"; $rpn_expr .= ",+";
if (strpos($arg, ' ') === false) {
$this->addArgument($arg); $this->addArgument($arg);
} else {
$args = explode(' ', $arg);
foreach ($args as $arg2) {
$this->addArgument($arg2);
}
}
if ($this->onecurve && isset($tm["warn"]) && if ($this->onecurve && isset($tm["warn"]) &&
$tm["warn"] != 0 && isset($tm["crit"]) && $tm["crit"] != 0) { $tm["warn"] != 0 && isset($tm["crit"]) && $tm["crit"] != 0) {
$this->addArgument("AREA:ow" . $nb . $tm["ds_color_area_warn"] . "CF::STACK"); $this->addArgument("AREA:ow" . $nb . $tm["ds_color_area_warn"] . "CF::STACK");
...@@ -894,7 +899,7 @@ class CentreonGraph ...@@ -894,7 +899,7 @@ class CentreonGraph
} else { } else {
$arg = "LINE" . $tm["ds_tickness"] . ":vc" . $cpt; $arg = "LINE" . $tm["ds_tickness"] . ":vc" . $cpt;
} }
$arg .= $tm["ds_color_line"] . ":'"; $arg .= $tm["ds_color_line"] . ":";
} }
if (!$this->checkcurve) { if (!$this->checkcurve) {
...@@ -906,11 +911,10 @@ class CentreonGraph ...@@ -906,11 +911,10 @@ class CentreonGraph
if (!$this->onecurve && isset($tm["ds_hidecurve"]) && $tm["ds_hidecurve"] == 1) { if (!$this->onecurve && isset($tm["ds_hidecurve"]) && $tm["ds_hidecurve"] == 1) {
$arg .= " "; $arg .= " ";
} }
$arg .= "'";
$this->addArgument($arg); $this->addArgument($arg);
$vdefs = ""; $vdefs = array();
$prints = ""; $prints = array();
foreach (array("last" => "LAST", "min" => "MINIMUM", "max" => "MAXIMUM", foreach (array("last" => "LAST", "min" => "MINIMUM", "max" => "MAXIMUM",
...@@ -919,31 +923,36 @@ class CentreonGraph ...@@ -919,31 +923,36 @@ class CentreonGraph
continue; continue;
} }
$dispname = ucfirst($name); $dispname = ucfirst($name);
$vdefs .= "VDEF:" . $this->vname[$tm["metric"]] . $dispname . "=" . $vdefs[] = "VDEF:" . $this->vname[$tm["metric"]] . $dispname . "=" .
$this->vname[$tm["metric"]] . "," . $cf . " "; $this->vname[$tm["metric"]] . "," . $cf;
if (($name == "min" || $name == "max") && if (($name == "min" || $name == "max") &&
(isset($tm['ds_minmax_int']) && $tm['ds_minmax_int'])) { (isset($tm['ds_minmax_int']) && $tm['ds_minmax_int'])) {
$displayformat = "%7.0lf"; $displayformat = "%7.0lf";
} else { } else {
$displayformat = "%7.2lf"; $displayformat = "%7.2lf";
} }
$prints .= "GPRINT:" . $this->vname[$tm["metric"]] . $dispname.":\"" . $prints[] = "GPRINT:" . $this->vname[$tm["metric"]] . $dispname.":" .
$dispname . "\:" . $displayformat . ($this->gprintScaleOption) . "\" "; $dispname . "\:" . $displayformat . ($this->gprintScaleOption);
}
foreach ($vdefs as $vdef) {
$this->addArgument($vdef);
} }
$this->addArgument($vdefs); foreach ($prints as $print) {
$this->addArgument($prints . "COMMENT:\"\\l\""); $this->addArgument($print);
}
$this->addArgument("COMMENT:\\l");
if ($this->onecurve) { if ($this->onecurve) {
if (isset($tm["warn"]) && !empty($tm["warn"]) && $tm["warn"] != 0) { if (isset($tm["warn"]) && !empty($tm["warn"]) && $tm["warn"] != 0) {
$this->addArgument( $this->addArgument(
"HRULE:" . $tm["warn"] . $tm["ds_color_area_warn"] . ":\"Warning \: " . "HRULE:" . $tm["warn"] . $tm["ds_color_area_warn"] . ":Warning \: " .
$this->humanReadable($tm["warn"], $tm["unit"]) . "\\l\" " $this->humanReadable($tm["warn"], $tm["unit"]) . "\\l "
); );
} }
if (isset($tm["crit"]) && !empty($tm["crit"]) && $tm["crit"] != 0) { if (isset($tm["crit"]) && !empty($tm["crit"]) && $tm["crit"] != 0) {
$this->addArgument( $this->addArgument(
"HRULE:" . $tm["crit"] . $tm["ds_color_area_crit"] . ":\"Critical \: " . "HRULE:" . $tm["crit"] . $tm["ds_color_area_crit"] . ":Critical \: " .
$this->humanReadable($tm["crit"], $tm["unit"]) . "\"" $this->humanReadable($tm["crit"], $tm["unit"])
); );
} }
} }
...@@ -953,7 +962,7 @@ class CentreonGraph ...@@ -953,7 +962,7 @@ class CentreonGraph
$tm["ds_jumpline"] = 0; $tm["ds_jumpline"] = 0;
} }
while ($cline < $tm["ds_jumpline"]) { while ($cline < $tm["ds_jumpline"]) {
$this->addArgument("COMMENT:\"\\c\""); $this->addArgument("COMMENT:\\c");
$cline++; $cline++;
} }
} }
...@@ -1257,9 +1266,6 @@ class CentreonGraph ...@@ -1257,9 +1266,6 @@ class CentreonGraph
*/ */
public function setRRDOption($name, $value = null) public function setRRDOption($name, $value = null)
{ {
if (strpos($value, " ")!==false) {
$value = "'".$value."'";
}
$this->RRDoptions[$name] = $value; $this->RRDoptions[$name] = $value;
} }
...@@ -1366,17 +1372,17 @@ class CentreonGraph ...@@ -1366,17 +1372,17 @@ class CentreonGraph
} }
foreach ($this->RRDoptions as $key => $value) { foreach ($this->RRDoptions as $key => $value) {
$commandLine .= "--".$key; $commandLine .= '--' . $key;
if (isset($value)) { if (isset($value)) {
$commandLine .= "=".$value; $commandLine .= '=' . escapeshellarg($value);
} }
$commandLine .= " "; $commandLine .= ' ';
} }
foreach ($this->colors as $key => $value) { foreach ($this->colors as $key => $value) {
$commandLine .= "--color ".$key.$value." "; $commandLine .= '--color ' . escapeshellarg($key . $value) . ' ';
} }
foreach ($this->fonts as $key => $value) { foreach ($this->fonts as $key => $value) {
$commandLine .= "--font ".$key.$value." "; $commandLine .= '--font ' . escapeshellarg($key . $value) . ' ';
} }
/* /*
...@@ -1387,10 +1393,10 @@ class CentreonGraph ...@@ -1387,10 +1393,10 @@ class CentreonGraph
$rrd_time = str_replace(":", "\:", $rrd_time); $rrd_time = str_replace(":", "\:", $rrd_time);
$rrd_time2 = addslashes($this->GMT->getDate("Y\/m\/d G:i", $this->RRDoptions["end"])) ; $rrd_time2 = addslashes($this->GMT->getDate("Y\/m\/d G:i", $this->RRDoptions["end"])) ;
$rrd_time2 = str_replace(":", "\:", $rrd_time2); $rrd_time2 = str_replace(":", "\:", $rrd_time2);
$commandLine .= " COMMENT:\" From $rrd_time to $rrd_time2 \\c\" "; $commandLine .= escapeshellarg('COMMENT: From ' . $rrd_time . ' to ' . $rrd_time2 . ' \\c');
} }
foreach ($this->arguments as $arg) { foreach ($this->arguments as $arg) {
$commandLine .= " ".$arg." "; $commandLine .= ' ' . escapeshellarg($arg) . ' ';
} }
$gmt_export = ""; $gmt_export = "";
$commandLine = preg_replace("/(\\\$|`)/", "", $commandLine); $commandLine = preg_replace("/(\\\$|`)/", "", $commandLine);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Another place to be (or not)