diff options
author | smos <seth.mos@dds.nl> | 2010-07-23 09:59:58 +0200 |
---|---|---|
committer | smos <seth.mos@dds.nl> | 2010-07-23 09:59:58 +0200 |
commit | 002bc4ab3268e6e5cb3a01ce73a4c1624d09050a (patch) | |
tree | 173bca4afaab7afd3756ba2e562902e48f4d09b0 /usr/local/www/status_rrd_graph.php | |
parent | d6a0379d291f5e98500776618559343f40254e40 (diff) | |
download | pfsense-002bc4ab3268e6e5cb3a01ce73a4c1624d09050a.zip pfsense-002bc4ab3268e6e5cb3a01ce73a4c1624d09050a.tar.gz |
Fix the glob() to return only the files, not the pathnames, use chdir()
before.
Fix a possible injection of ../ in the database path by using basename()
Fix the week graph math so it is correct.
Diffstat (limited to 'usr/local/www/status_rrd_graph.php')
-rwxr-xr-x | usr/local/www/status_rrd_graph.php | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/usr/local/www/status_rrd_graph.php b/usr/local/www/status_rrd_graph.php index c0d8814..770b61b 100755 --- a/usr/local/www/status_rrd_graph.php +++ b/usr/local/www/status_rrd_graph.php @@ -49,7 +49,9 @@ if(! isset($config['rrd']['enable'])) { } $rrddbpath = "/var/db/rrd/"; -$databases = glob("{$rrddbpath}*.rrd"); +chdir($rrddbpath); +$databases = glob("*.rrd"); + if ($_GET['cat']) { $curcat = $_GET['cat']; @@ -206,8 +208,8 @@ function get_dates($curperiod, $graph) { $end = mktime(0, 0, 0, $curmonth, (($curday + $offset) + 1), $curyear); break; case "week": - $start = mktime(0, 0, 0, $curmonth, (($curday + $curweekday) - $offset), $curyear); - $end = mktime(0, 0, 0, $curmonth, (($curday + $curweekday) + 7), $curyear); + $start = mktime(0, 0, 0, $curmonth, (($curday - $curweekday) + $offset), $curyear); + $end = mktime(0, 0, 0, $curmonth, (($curday - $curweekday) + 7), $curyear); break; case "month": $start = mktime(0, 0, 0, ($curmonth + $offset), 0, $curyear); @@ -330,7 +332,6 @@ function get_dates($curperiod, $graph) { echo " selected "; } echo ">" . htmlspecialchars($prettyprint) . "</option>\n"; - } ?> |