Add new sanitization checks. Minor output fixes for decompose graph. …

…Fixes for clearly broken Nagios scripts

api/host.php

@@ -20,10 +20,10 @@
 }
 
 // Variables
-$hostname = $_GET['h'];
-$cluster_url = $_GET['c'];
-$range = $_GET['r'];
-$debug = $_GET['debug'];
+$hostname = sanitize($_GET['h']);
+$cluster_url = sanitize($_GET['c']);
+$range = sanitize($_GET['r']);
+$debug = sanitize($_GET['debug']);
 
 function form_image_url ( $page, $args ) {
   global $conf;

decompose_graph.php

@@ -10,6 +10,8 @@
 
 $user['view_name'] = isset($_GET["vn"]) ? sanitize ($_GET["vn"]) : NULL;
 $user['item_id'] = isset($_GET["item_id"]) ? sanitize ($_GET["item_id"]) : NULL;
+$user['hreg'] = isset($_GET["hreg"]) ? $_GET["hreg"] : NULL;
+$user['mreg'] = isset($_GET["mreg"]) ? $_GET["mreg"] : NULL;
 
 #################################################################################
 # Let's check if we are decomposing a composite graph from a view
@@ -37,13 +39,13 @@
 } else if ( isset($_GET['aggregate']) ) {
 
 
-  $graph_config = build_aggregate_graph_config ($graph_type, $line_width, $_GET['hreg'], $_GET['mreg']);
+  $graph_config = build_aggregate_graph_config ($graph_type, $line_width, $user['hreg'], $user['mreg']);
 
-  foreach ( $_GET['hreg'] as $index => $arg ) {
-    print "<input type=hidden name=hreg[] value='" . htmlspecialchars($arg) . "'>";
+  foreach ( $user['hreg'] as $index => $arg ) {
+    print "<input type=hidden name=hreg[] value='" . sanitize($arg) . "'>";
   }
-  foreach ( $_GET['mreg'] as $index => $arg ) {
-    print "<input type=hidden name=mreg[] value='" . htmlspecialchars($arg) . "'>";
+  foreach ( $user['mreg'] as $index => $arg ) {
+    print "<input type=hidden name=mreg[] value='" . sanitize($arg) . "'>";
   }
 
 } else {
@@ -80,16 +82,12 @@
 
 foreach ( $graph_config['series'] as $index => $item ) {
    $args = "h=" . $item['hostname'] . "&c=" . $item['clustername'] . "&m=" . $item['metric'];
-   $items[] = array ( "title" => "",
+   $items[] = array ( "title" => $item['hostname'] . " " . $item['metric'],
           "url_args" => $args . $graphargs . "&r=" . $range
    );
 
 }
 
-#print "<PRE>"; print_r($items);
-
 $data->assign("items", $items);
 $data->assign("number_of_items", count($items));
 $dwoo->output($tpl, $data);
-
-?>

functions.php

@@ -347,7 +347,7 @@ function rowstyle() {
 # Resulting string is not URL-encoded.
 function clean_string( $string ) {
 
-  return htmlentities( $string );
+  return htmlentities( $string, ENT_QUOTES | ENT_HTML401 );
 }
 #------------------------------------------------------------------------------
 function sanitize ( $string ) {

get_context.php

@@ -11,9 +11,9 @@
 ///////////////////////////////////////////////////////////////////////////////
 // Blocking malicious CGI input.
 $user['clustername'] = isset($_GET["c"]) ?
-    escapeshellcmd( clean_string( rawurldecode($_GET["c"]) ) ) : NULL;
+    sanitize($_GET["c"]) : NULL;
 $user['gridname'] = isset($_GET["G"]) ?
-    escapeshellcmd( clean_string( rawurldecode($_GET["G"]) ) ) : NULL;
+    sanitize($_GET["G"]) : NULL;
 
 $user['viewname'] = '';
 if ( isset($_GET["vn"]) &&  is_proper_view_name ($_GET["vn"]) ) {
@@ -22,22 +22,22 @@
 
 if($conf['case_sensitive_hostnames'] == 1) {
     $user['hostname'] = isset($_GET["h"]) ?
-        escapeshellcmd( clean_string( rawurldecode($_GET["h"]) ) ) : NULL;
+        sanitize($_GET["h"]) : NULL;
 } else {
     $user['hostname'] = isset($_GET["h"]) ?
-        strtolower( escapeshellcmd( clean_string( rawurldecode($_GET["h"]) ) ) ) : NULL;
+        strtolower( sanitize($_GET["h"]) ) : NULL;
 }
 
 $user['range'] = isset( $_GET["r"] ) && in_array($_GET["r"], array_keys( $conf['time_ranges'] ) ) ?
     escapeshellcmd( rawurldecode($_GET["r"])) : NULL;
 $user['metricname'] = isset($_GET["m"]) ?
-    escapeshellcmd( clean_string( rawurldecode($_GET["m"]) ) ) : NULL;
+    sanitize($_GET["m"]) : NULL;
 $user['metrictitle'] = isset($_GET["ti"]) ?
-    escapeshellcmd( clean_string( rawurldecode($_GET["ti"]) ) ) : NULL;
+    sanitize($_GET["ti"]) : NULL;
 $user['sort'] = isset($_GET["s"]) ?
-    escapeshellcmd( clean_string( rawurldecode($_GET["s"]) ) ) : NULL;
+    sanitize($_GET["s"]) : NULL;
 $user['controlroom'] = isset($_GET["cr"]) ?
-    escapeshellcmd( clean_string( rawurldecode($_GET["cr"]) ) ): NULL;
+    sanitize($_GET["cr"]): NULL;
 # Default value set in conf.php, Allow URL to overrride
 if (isset($_GET["hc"]))
     //TODO: shouldn't set $conf from user input.
@@ -51,7 +51,7 @@
 $user['physical'] = isset($_GET["p"]) ?
     clean_number( $_GET["p"] ) : NULL;
 $user['tree'] = isset($_GET["t"]) ?
-    escapeshellcmd($_GET["t"] ) : NULL;
+    sanitize($_GET["t"] ) : NULL;
 # A custom range value for job graphs, in -sec.
 $user['jobrange'] = isset($_GET["jr"]) ?
     clean_number( $_GET["jr"] ) : NULL;
@@ -60,18 +60,18 @@
     clean_number( $_GET["js"] ) : NULL;
 # custom start and end
 $user['cs'] = isset($_GET["cs"]) ?
-    escapeshellcmd(htmlentities($_GET["cs"])) : NULL;
+    sanitize($_GET["cs"]) : NULL;
 $user['ce'] = isset($_GET["ce"]) ?
-    escapeshellcmd(htmlentities($_GET["ce"])) : NULL;
+    sanitize($_GET["ce"]) : NULL;
 # Custom step, primarily for use in exporting the raw data from graph.php
 $user['step'] = isset($_GET["step"]) ?
     clean_number( $_GET["step"] ) : NULL;
 # The direction we are travelling in the grid tree
 $user['gridwalk'] = isset($_GET["gw"]) ?
-    escapeshellcmd( clean_string( $_GET["gw"] ) ) : NULL;
+    sanitize($_GET["gw"]) : NULL;
 # Size of the host graphs in the cluster view
 $user['clustergraphsize'] = isset($_GET["z"]) && in_array( $_GET[ 'z' ], $conf['graph_sizes_keys'] ) ?
-    escapeshellcmd($_GET["z"]) : NULL;
+    sanitize($_GET["z"]) : NULL;
 # A stack of grid parents. Prefer a GET variable, default to cookie.
 if (isset($_GET["gs"]) and $_GET["gs"])
     $user['gridstack'] = explode( ">", rawurldecode( $_GET["gs"] ) );
@@ -80,13 +80,13 @@
 
 if (isset($user['gridstack']) and $user['gridstack']) {
    foreach( $user['gridstack'] as $key=>$value )
-      $user['gridstack'][ $key ] = clean_string( $value );
+      $user['gridstack'][ $key ] = sanitize( $value );
 }
 
 /////////////////////////////////////////////////////////////////////////////
 // Used with to limit hosts shown
 if ( isset($_GET['host_regex']) )
-  $user['host_regex'] = $_GET['host_regex'];
+  $user['host_regex'] = sanitize ($_GET['host_regex']);
 
 if ( isset($_GET['max_graphs']) && is_numeric($_GET['max_graphs'] ) )
   $user['max_graphs'] = $_GET['max_graphs'];
@@ -117,8 +117,8 @@
   $user['choose_filter'] = array();
   foreach($req_choose_filter as $k_req => $v_req)
   {
-    $k = escapeshellcmd( clean_string( rawurldecode ($k_req)));
-    $v = escapeshellcmd( clean_string( rawurldecode ($v_req)));
+    $k = sanitize ($k_req);
+    $v = sanitize ($v_req);
     $user['choose_filter'][$k] = $v;
   }
 }

metric_group_view.php

@@ -111,9 +111,9 @@ function getMetricGroup($metrics,
 if ($ce)
   $baseGraphArgs .= "&ce=" . rawurlencode($ce);
 if (isset($_GET['event']))
-  $baseGraphArgs .= "&event=" . $_GET['event'];
+  $baseGraphArgs .= "&event=" . rawurlencode($_GET['event']);
 if (isset($_GET['ts']))
-  $baseGraphArgs .= "&ts=" . $_GET['ts'];
+  $baseGraphArgs .= "&ts=" . rawurlencode($_GET['ts']);
 
 getMetricGroup($metrics,
 	       $metric_group,

nagios/check_for_stuck_gmonds.php

@@ -17,11 +17,6 @@
 
 $ignore_host_reg = "";
 
-# Sometimes we want to ignore certain hosts. If so supply them as a regex
-if ( isset($_GET['ignore_host_reg'])  ) {
-   $ignore_host_reg = $_GET['ignore_host_reg'];
-} 
-
 include_once $conf['gweb_root'] . "/eval_conf.php";
 
 # To turn on debug set to 1
@@ -31,6 +26,13 @@
 include_once $conf['gweb_root'] . "/functions.php";
 include_once $conf['gweb_root'] . "/ganglia.php";
 include_once $conf['gweb_root'] . "/get_ganglia.php";
+
+
+# Sometimes we want to ignore certain hosts. If so supply them as a regex
+if ( isset($_GET['ignore_host_reg'])  ) {
+   $ignore_host_reg = sanitize($_GET['ignore_host_reg']);
+} 
+
 # Massage the metrics to minimize the cache file by caching only attributes
 # we care about
 $stuck_gmond_hosts = array();

nagios/check_heartbeat.php

@@ -15,13 +15,14 @@
 $conf['gweb_root'] = dirname(dirname(__FILE__));
 
 include_once $conf['gweb_root'] . "/eval_conf.php";
+include_once $conf['gweb_root'] . "/functions.php";
 
 # To turn on debug set to 1
 $debug = 0;
 
 if ( isset($_GET['host']) ) {
-   $host = $_GET['host'];
-   $threshold = isset($_GET['threshold']) ? $_GET['threshold'] : 25;
+   $host = sanitize($_GET['host']);
+   $threshold = isset($_GET['threshold']) && is_numeric($_GET['threshold']) ? $_GET['threshold'] : 25;
 } else {
    die("You need to supply host and if you'd like threshold");
 }
@@ -64,18 +65,17 @@
   unset($new_metrics);
 
 }
-
 # Get a list of all hosts
 $ganglia_hosts_array = array_keys($metrics);
 $host_found = 0;
 
 # Find a FQDN of a supplied server name.
 foreach ( $ganglia_hosts_array as $ganglia_host ) {
- if ( strpos(  $ganglia_hosts, $host ) !== false  ) {
- $fqdn = $ganglia_host;
- $host_found = 1;
- break;
- }
+  if ( strpos(  $ganglia_host, $host ) !== false  ) {
+    $fqdn = $ganglia_host;
+    $host_found = 1;
+    break;
+  }
 }
 
 # Host has been found in the Ganglia tree

nagios/check_host_regex.php

@@ -24,15 +24,16 @@
 $conf['gweb_root'] = dirname(dirname(__FILE__));
 
 include_once $conf['gweb_root'] . "/eval_conf.php";
+include_once $conf['gweb_root'] . "/functions.php";
 
 # To turn on debug set to 1
 $debug = $_GET['debug'];
 
 if ( isset($_GET['hreg']) && isset($_GET['checks']) ) {
-   $host_reg = $_GET['hreg'];
+   $host_reg = sanitize($_GET['hreg']);
    # Checks are : delimited
    $ignore_unknowns = isset($_GET['ignore_unknowns']) && $_GET['ignore_unknowns'] == 1 ? 1 : 0;
-   $checks = explode(":", $_GET['checks']);
+   $checks = explode(":", sanitize($_GET['checks']));
 } else {
    die("You need to supply hreg (host regex) and list of checks of format metrics,operator,critical value. Multiple checks can be supplied separated using a colon");
 }

nagios/check_metric.php

@@ -14,15 +14,16 @@
 $conf['gweb_root'] = dirname(dirname(__FILE__));
 
 include_once $conf['gweb_root'] . "/eval_conf.php";
+include_once $conf['gweb_root'] . "/functions.php";
 
 # To turn on debug set to 1
 $debug = 0;
 
 if ( isset($_GET['host']) && isset($_GET['metric_name']) && isset($_GET['operator']) && isset($_GET['critical_value']) ) {
-   $host = $_GET['host'];
-   $metric_name = $_GET['metric_name'];
-   $operator = $_GET['operator'];
-   $critical_value = $_GET['critical_value'];
+   $host = sanitize($_GET['host']);
+   $metric_name = sanitize($_GET['metric_name']);
+   $operator = sanitize($_GET['operator']);
+   $critical_value = sanitize($_GET['critical_value']);
 } else {
    die("You need to supply host, metric_name, operator and critical_value");
 }
@@ -47,7 +48,6 @@
 		  error_log("DEBUG: Querying GMond for new data\n");
   }
   $context = "cluster";
-  include_once $conf['gweb_root'] . "/functions.php";
   include_once $conf['gweb_root'] . "/ganglia.php";
   include_once $conf['gweb_root'] . "/get_ganglia.php";
   # Massage the metrics to minimize the cache file by caching only attributes

nagios/check_metric_regex.php

@@ -24,14 +24,15 @@
 $conf['gweb_root'] = dirname(dirname(__FILE__));
 
 include_once $conf['gweb_root'] . "/eval_conf.php";
+include_once $conf['gweb_root'] . "/functions.php";
 
 # To turn on debug set to 1
 $debug = 0;
 
 if ( isset($_GET['hreg']) && isset($_GET['checks']) ) {
-   $host_reg = $_GET['hreg'];
+   $host_reg = sanitize($_GET['hreg']);
    # Checks are : delimited
-   $checks = explode(":", $_GET['checks']);
+   $checks = explode(":", sanitize($_GET['checks']));
 } else {
    die("You need to supply hreg (host regex) and list of checks of format metrics,operator,critical value. Multiple checks can be supplied separated using a colon");
 }

nagios/check_multiple_metrics.php

@@ -24,14 +24,15 @@
 $conf['gweb_root'] = dirname(dirname(__FILE__));
 
 include_once $conf['gweb_root'] . "/eval_conf.php";
+include_once $conf['gweb_root'] . "/functions.php";
 
 # To turn on debug set to 1
 $debug = 0;
 
 if ( isset($_GET['host']) && isset($_GET['checks']) ) {
-   $host = $_GET['host'];
+   $host = sanitize($_GET['host']);
    # Checks are : delimited
-   $checks = explode(":", $_GET['checks']);
+   $checks = explode(":", sanitize($_GET['checks']));
 } else {
    die("You need to supply host and list of checks");
 }
@@ -81,11 +82,11 @@
 
 # Find a FQDN of a supplied server name.
 foreach ( $ganglia_hosts_array as $ganglia_host ) {
- if ( strpos(  $ganglia_hosts, $host ) !== false  ) {
- $fqdn = $ganglia_host;
- $host_found = 1;
- break;
- }
+  if ( strpos(  $ganglia_host, $host ) !== false  ) {
+    $fqdn = $ganglia_host;
+    $host_found = 1;
+    break;
+  }
 }
 
 # Host has been found in the Ganglia tree
@@ -134,5 +135,3 @@
    echo("UNKNOWN|" . $host . " - Hostname info not available. Likely invalid hostname");
    exit(3);
 }
-
-?>

nagios/check_multiple_metrics_warn.php

@@ -24,14 +24,15 @@
 $conf['gweb_root'] = dirname(dirname(__FILE__));
 
 include_once $conf['gweb_root'] . "/eval_conf.php";
+include_once $conf['gweb_root'] . "/functions.php";
 
 # To turn on debug set to 1
 $debug = 0;
 
 if ( isset($_GET['host']) && isset($_GET['checks']) ) {
-   $host = $_GET['host'];
+   $host = sanitize($_GET['host']);
    # Checks are : delimited
-   $checks = explode(":", $_GET['checks']);
+   $checks = explode(":", sanitize($_GET['checks']));
 } else {
    die("You need to supply host and list of checks");
 }
@@ -81,11 +82,11 @@
 
 # Find a FQDN of a supplied server name.
 foreach ( $ganglia_hosts_array as $ganglia_host ) {
- if ( strpos(  $ganglia_hosts, $host ) !== false  ) {
- $fqdn = $ganglia_host;
- $host_found = 1;
- break;
- }
+  if ( strpos(  $ganglia_host, $host ) !== false  ) {
+    $fqdn = $ganglia_host;
+    $host_found = 1;
+    break;
+  }
 }
 
 # Host has been found in the Ganglia tree
@@ -144,5 +145,3 @@
    echo("UNKNOWN|System check - " . $host. " - Hostname info not available. Likely invalid hostname");
    exit(3);
 }
-
-?>