Search
j0ke.net Open Build Service
>
Projects
>
server:monitoring
>
cacti
> cacti-0.8.8b_COMMENT.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File cacti-0.8.8b_COMMENT.patch of Package cacti
--- lib/rrd.php 2013-10-22 14:42:51.990441850 -0500 +++ lib/rrd.php 2013-12-23 18:10:18.282876688 -0600 @@ -1343,20 +1343,20 @@ $need_rrd_nl = TRUE; if ($graph_item_types{$graph_item["graph_type_id"]} == "COMMENT") { + # perform variable substitution first (in case this will yield an empty results or brings command injection problems) + $comment_arg = rrd_substitute_host_query_data($graph_variables["text_format"][$graph_item_id], $graph, $graph_item); + # next, compute the argument of the COMMENT statement and perform injection counter measures + if (trim($comment_arg) == '') { # an empty COMMENT must be treated with care + $comment_arg = cacti_escapeshellarg(' ' . $hardreturn[$graph_item_id]); + } else { + $comment_arg = cacti_escapeshellarg($comment_arg . $hardreturn[$graph_item_id]); + } + + # create rrdtool specific command line if (read_config_option("rrdtool_version") != "rrd-1.0.x") { - $comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id])) . " "; - if (trim($comment_string) == 'COMMENT:"\n"') { - $txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work - } else if (trim($comment_string) != "COMMENT:\"\"") { - $txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item); - } + $txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", $comment_arg) . " "; }else { - $comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id]) . " "; - if (trim($comment_string) == 'COMMENT:"\n"') { - $txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work - } else if (trim($comment_string) != "COMMENT:\"\"") { - $txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item); - } + $txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . $comment_arg . " "; } }elseif (($graph_item_types{$graph_item["graph_type_id"]} == "GPRINT") && (!isset($graph_data_array["graph_nolegend"]))) { $graph_variables["text_format"][$graph_item_id] = str_replace(":", "\:", $graph_variables["text_format"][$graph_item_id]); /* escape colons */ @@ -2097,3 +2097,4 @@ } ?> +