diff options
| author | jim-p <jimp@pfsense.org> | 2016-02-10 12:19:43 -0500 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2016-02-10 12:19:43 -0500 |
| commit | 7cd2add4de7b85f64033722a055d72f379e487ca (patch) | |
| tree | 76617d6913f2182a3c83a228f4f0746fe0b29086 /src/usr/local/www/status_rrd_graph_img.php | |
| parent | 032def61ca2d829524172066d054211a9771d077 (diff) | |
| download | pfsense-7cd2add4de7b85f64033722a055d72f379e487ca.zip pfsense-7cd2add4de7b85f64033722a055d72f379e487ca.tar.gz | |
Make RRD lists global, validate graph name using whitelist of known values rather than blacklist of characters, beef up validation and escaping of related values while here. Fixes #5874 for 2.3
Diffstat (limited to 'src/usr/local/www/status_rrd_graph_img.php')
| -rw-r--r-- | src/usr/local/www/status_rrd_graph_img.php | 58 |
1 files changed, 31 insertions, 27 deletions
diff --git a/src/usr/local/www/status_rrd_graph_img.php b/src/usr/local/www/status_rrd_graph_img.php index 32d3d4d..40cbe45 100644 --- a/src/usr/local/www/status_rrd_graph_img.php +++ b/src/usr/local/www/status_rrd_graph_img.php @@ -61,26 +61,33 @@ require_once("filter.inc"); require_once("shaper.inc"); require_once("rrd.inc"); -global $g; +global $g, $rrd_graph_list, $rrd_period_list, $rrd_graph_length_list; +$rrddbpath = "/var/db/rrd/"; +$rrdtmppath = "/tmp/"; $pgtitle = array(gettext("System"), gettext("RRD Graphs"), gettext("Image viewer")); if ($_GET['database']) { $curdatabase = basename($_GET['database']); - $curdatabase = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($curdatabase, ENT_QUOTES | ENT_HTML401)); + $curdatabase = str_replace(array("<", ">", ";", "&", "'", '"', '|'), "", htmlspecialchars_decode($curdatabase, ENT_QUOTES | ENT_HTML401)); + /* Ensure the file is valid and exists */ + if (!file_exists("{$rrddbpath}{$curdatabase}")) { + $curdatabase = "wan-traffic.rrd"; + } } else { $curdatabase = "wan-traffic.rrd"; } -if ($_GET['style']) { +/* Validate the passed style */ +if ($_GET['style'] && array_key_exists($_GET['style'], $rrd_style_list)) { $curstyle = $_GET['style']; } else { $curstyle = "inverse"; } -/* this is used for temp name */ -if ($_GET['graph']) { - $curgraph = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_GET['graph'], ENT_QUOTES | ENT_HTML401)); +/* This is used for temp name. Check the graph against our known list of valid graphs. */ +if ($_GET['graph'] && in_array($_GET['graph'], $rrd_graph_list)) { + $curgraph = htmlspecialchars_decode($_GET['graph'], ENT_QUOTES | ENT_HTML401); } else { $curgraph = "custom"; } @@ -160,8 +167,6 @@ $search = array("-", ".rrd", $curif); $replace = array(" :: ", "", $friendly); $prettydb = ucwords(str_replace($search, $replace, $curdatabase)); -$rrddbpath = "/var/db/rrd/"; -$rrdtmppath = "/tmp/"; $rrdtool = "/usr/bin/nice -n20 /usr/local/bin/rrdtool"; $uptime = "/usr/bin/uptime"; $sed = "/usr/bin/sed"; @@ -180,7 +185,6 @@ switch ($havg) { default: $step = 0; break; } -$rrddbpath = "/var/db/rrd/"; chdir($rrddbpath); $databases = glob("*.rrd"); rsort($databases); @@ -346,7 +350,7 @@ function timeDiff($time, $opt = array()) { if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for traffic stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step --vertical-label \"bits/sec\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; $graphcmd .= "--title \"" . php_uname('n') . " - {$prettydb} - {$hperiod} - {$havg} average\" "; @@ -498,7 +502,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba } elseif (strstr($curdatabase, "-throughput.rrd")) { /* define graphcmd for throughput stats */ /* this gathers all interface statistics, the database does not actually exist */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"bits/sec\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -624,7 +628,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-packets.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for packets stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"packets/sec\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -749,7 +753,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-wireless.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for packets stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"snr/channel/rate\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -781,7 +785,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-vpnusers.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for vpn users stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"users\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -799,7 +803,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-states.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for states stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start -$seconds -e -$average --step $step "; $graphcmd .= "--vertical-label \"states, ip\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -852,7 +856,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-processor.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for processor stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"utilization, number\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -903,7 +907,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-memory.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for memory usage stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"utilization, percent\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -954,7 +958,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-mbuf.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for mbuf usage stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"utilization, percent\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -997,7 +1001,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-queues.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for queue stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"bits/sec\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -1029,7 +1033,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-queuedrops.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for queuedrop stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"drops / sec\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -1062,7 +1066,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-quality.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* make a link quality graphcmd */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png \\ + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " \\ --start $start --end $end --step $step \\ --title \"" . php_uname('n') . " - {$prettydb} - {$hperiod} - {$havg} average\" \\ --color SHADEA#eeeeee --color SHADEB#eeeeee \\ @@ -1097,7 +1101,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\""; } elseif ((strstr($curdatabase, "spamd.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* graph a spamd statistics graph */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png \\ + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " \\ --start $start --end $end --step $step \\ --title \"" . php_uname('n') . " - {$prettydb} - {$hperiod} - {$havg} average\" \\ --color SHADEA#eeeeee --color SHADEB#eeeeee \\ @@ -1134,7 +1138,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba GPRINT:consmax:MAX:\"Max\\:%6.2lf\\n\" \\ COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-cellular.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"signal\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -1152,7 +1156,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-loggedin.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for online Captive Portal users stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"Captive Portal Users\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -1170,7 +1174,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-concurrent.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for online Captive Portal users stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"Captive Portal Users\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -1191,7 +1195,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "ntpd.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for ntpd (was: mbuf) usage stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"time\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; @@ -1234,7 +1238,7 @@ if ((strstr($curdatabase, "-traffic.rrd")) && (file_exists("$rrddbpath$curdataba $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t" . strftime('%b %d %H\:%M\:%S %Y') . "\" "; } elseif ((strstr($curdatabase, "-dhcpd.rrd")) && (file_exists("$rrddbpath$curdatabase"))) { /* define graphcmd for dhcpd stats */ - $graphcmd = "$rrdtool graph $rrdtmppath$curdatabase-$curgraph.png "; + $graphcmd = "$rrdtool graph " . escapeshellarg("{$rrdtmppath}{$curdatabase}-{$curgraph}.png") . " "; $graphcmd .= "--start $start --end $end --step $step "; $graphcmd .= "--vertical-label \"DHCP Leases\" "; $graphcmd .= "--color SHADEA#eeeeee --color SHADEB#eeeeee "; |
