head 1.2;
access;
symbols
OPENPKG_E1_MP:1.1
OPENPKG_E1_MP_HEAD:1.1
OPENPKG_2_STABLE_MP:1.2
OPENPKG_2_STABLE:1.1.0.2;
locks; strict;
comment @# @;
1.2
date 2007.01.18.07.43.25; author rse; state dead;
branches;
next 1.1;
commitid Ez95xWFTH7y3DX2s;
1.1
date 2007.01.01.19.44.03; author rse; state Exp;
branches
1.1.2.1;
next ;
commitid y797VPlO62b9aQ0s;
1.1.2.1
date 2007.01.01.19.44.03; author rse; state dead;
branches;
next 1.1.2.2;
commitid dfd0u851EkizaQ0s;
1.1.2.2
date 2007.01.01.19.45.16; author rse; state Exp;
branches;
next 1.1.2.3;
commitid dfd0u851EkizaQ0s;
1.1.2.3
date 2007.03.18.23.30.43; author thl; state dead;
branches;
next ;
commitid j886gsownDQWXCas;
desc
@@
1.2
log
@upgrading package: cacti 0.8.6i -> 0.8.6j
@
text
@Security Fixes
Index: cmd.php
--- cmd.php.orig 2006-10-09 05:06:01 +0200
+++ cmd.php 2007-01-01 20:27:32 +0100
@@@@ -26,8 +26,8 @@@@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
$start = date("Y-n-d H:i:s"); // for runtime measurement
@@@@ -70,25 +70,32 @@@@
$print_data_to_stdout = false;
if ($_SERVER["argc"] == "3") {
if ($_SERVER["argv"][1] <= $_SERVER["argv"][2]) {
- $hosts = db_fetch_assoc("select * from host where (disabled = '' and " .
- "id >= " .
- $_SERVER["argv"][1] .
- " and id <= " .
- $_SERVER["argv"][2] . ") ORDER by id");
+
+ /* address potential exploits */
+ input_validate_input_number($_SERVER["argv"][1]);
+ input_validate_input_number($_SERVER["argv"][2]);
+
+ $hosts = db_fetch_assoc("
+ SELECT * FROM host
+ WHERE (disabled = ''
+ AND id >= " . $_SERVER["argv"][1] . "
+ AND id <= " . $_SERVER["argv"][2] . ")
+ ORDER by id");
$hosts = array_rekey($hosts,"id",$host_struc);
$host_count = sizeof($hosts);
- $polling_items = db_fetch_assoc("SELECT * from poller_item " .
- "WHERE (host_id >= " .
- $_SERVER["argv"][1] .
- " and host_id <= " .
- $_SERVER["argv"][2] . ") ORDER by host_id");
-
- $script_server_calls = db_fetch_cell("SELECT count(*) from poller_item " .
- "WHERE (action=2 AND (host_id >= " .
- $_SERVER["argv"][1] .
- " and host_id <= " .
- $_SERVER["argv"][2] . "))");
+ $polling_items = db_fetch_assoc("
+ SELECT * from poller_item
+ WHERE (host_id >= " . $_SERVER["argv"][1] . "
+ AND host_id <= " . $_SERVER["argv"][2] . ")
+ ORDER by host_id");
+
+ $script_server_calls = db_fetch_cell("
+ SELECT count(*)
+ FROM poller_item
+ WHERE (action=2
+ AND (host_id >= " . $_SERVER["argv"][1] . "
+ AND host_id <= " . $_SERVER["argv"][2] . "))");
}else{
print "ERROR: Invalid Arguments. The first argument must be less than or equal to the first.\n";
print "USAGE: CMD.PHP [[first_host] [second_host]]\n";
Index: copy_cacti_user.php
--- copy_cacti_user.php.orig 2006-10-09 05:06:01 +0200
+++ copy_cacti_user.php 2007-01-01 20:27:32 +0100
@@@@ -25,9 +25,10 @@@@
*/
/* do NOT run this script through a web browser */
-if (! isset($_SERVER["argv"][0])) {
- die("This script is only meant to run at the command line.\n");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
+
if (empty($_SERVER["argv"][2])) {
die("\nSyntax:\n php copy_cacti_user.php \n\n");
}
Index: poller.php
--- poller.php.orig 2006-10-09 05:06:01 +0200
+++ poller.php 2007-01-01 20:27:32 +0100
@@@@ -26,8 +26,8 @@@@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
/* We are not talking to the browser */
Index: poller_commands.php
--- poller_commands.php.orig 2006-10-09 05:06:01 +0200
+++ poller_commands.php 2007-01-01 20:28:36 +0100
@@@@ -27,8 +27,8 @@@@
define("MAX_RECACHE_RUNTIME", 296);
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
/* We are not talking to the browser */
Index: poller_export.php
--- poller_export.php.orig 2006-10-09 05:06:01 +0200
+++ poller_export.php 2007-01-01 20:28:52 +0100
@@@@ -25,8 +25,8 @@@@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
/* We are not talking to the browser */
Index: poller_reindex_hosts.php
--- poller_reindex_hosts.php.orig 2006-10-09 05:06:01 +0200
+++ poller_reindex_hosts.php 2007-01-01 20:29:09 +0100
@@@@ -25,8 +25,8 @@@@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
ini_set("max_execution_time", "0");
Index: rebuild_poller_cache.php
--- rebuild_poller_cache.php.orig 2006-10-09 05:06:01 +0200
+++ rebuild_poller_cache.php 2007-01-01 20:29:34 +0100
@@@@ -25,8 +25,8 @@@@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
$no_http_headers = true;
Index: script_server.php
--- script_server.php.orig 2006-10-09 05:06:01 +0200
+++ script_server.php 2007-01-01 20:27:32 +0100
@@@@ -26,9 +26,8 @@@@
$no_http_headers = true;
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
- exit(-1);
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
/* define STDOUT/STDIN file descriptors if not running under CLI */
@
1.1
log
@Security Fixes
@
text
@@
1.1.2.1
log
@file cacti.patch was added on branch OPENPKG_2_STABLE on 2007-01-01 19:45:16 +0000
@
text
@d1 166
@
1.1.2.2
log
@MFC: Security Fixes
@
text
@a0 166
Security Fixes
Index: cmd.php
--- cmd.php.orig 2006-10-09 05:06:01 +0200
+++ cmd.php 2007-01-01 20:27:32 +0100
@@@@ -26,8 +26,8 @@@@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
$start = date("Y-n-d H:i:s"); // for runtime measurement
@@@@ -70,25 +70,32 @@@@
$print_data_to_stdout = false;
if ($_SERVER["argc"] == "3") {
if ($_SERVER["argv"][1] <= $_SERVER["argv"][2]) {
- $hosts = db_fetch_assoc("select * from host where (disabled = '' and " .
- "id >= " .
- $_SERVER["argv"][1] .
- " and id <= " .
- $_SERVER["argv"][2] . ") ORDER by id");
+
+ /* address potential exploits */
+ input_validate_input_number($_SERVER["argv"][1]);
+ input_validate_input_number($_SERVER["argv"][2]);
+
+ $hosts = db_fetch_assoc("
+ SELECT * FROM host
+ WHERE (disabled = ''
+ AND id >= " . $_SERVER["argv"][1] . "
+ AND id <= " . $_SERVER["argv"][2] . ")
+ ORDER by id");
$hosts = array_rekey($hosts,"id",$host_struc);
$host_count = sizeof($hosts);
- $polling_items = db_fetch_assoc("SELECT * from poller_item " .
- "WHERE (host_id >= " .
- $_SERVER["argv"][1] .
- " and host_id <= " .
- $_SERVER["argv"][2] . ") ORDER by host_id");
-
- $script_server_calls = db_fetch_cell("SELECT count(*) from poller_item " .
- "WHERE (action=2 AND (host_id >= " .
- $_SERVER["argv"][1] .
- " and host_id <= " .
- $_SERVER["argv"][2] . "))");
+ $polling_items = db_fetch_assoc("
+ SELECT * from poller_item
+ WHERE (host_id >= " . $_SERVER["argv"][1] . "
+ AND host_id <= " . $_SERVER["argv"][2] . ")
+ ORDER by host_id");
+
+ $script_server_calls = db_fetch_cell("
+ SELECT count(*)
+ FROM poller_item
+ WHERE (action=2
+ AND (host_id >= " . $_SERVER["argv"][1] . "
+ AND host_id <= " . $_SERVER["argv"][2] . "))");
}else{
print "ERROR: Invalid Arguments. The first argument must be less than or equal to the first.\n";
print "USAGE: CMD.PHP [[first_host] [second_host]]\n";
Index: copy_cacti_user.php
--- copy_cacti_user.php.orig 2006-10-09 05:06:01 +0200
+++ copy_cacti_user.php 2007-01-01 20:27:32 +0100
@@@@ -25,9 +25,10 @@@@
*/
/* do NOT run this script through a web browser */
-if (! isset($_SERVER["argv"][0])) {
- die("This script is only meant to run at the command line.\n");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
+
if (empty($_SERVER["argv"][2])) {
die("\nSyntax:\n php copy_cacti_user.php \n\n");
}
Index: poller.php
--- poller.php.orig 2006-10-09 05:06:01 +0200
+++ poller.php 2007-01-01 20:27:32 +0100
@@@@ -26,8 +26,8 @@@@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
/* We are not talking to the browser */
Index: poller_commands.php
--- poller_commands.php.orig 2006-10-09 05:06:01 +0200
+++ poller_commands.php 2007-01-01 20:28:36 +0100
@@@@ -27,8 +27,8 @@@@
define("MAX_RECACHE_RUNTIME", 296);
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
/* We are not talking to the browser */
Index: poller_export.php
--- poller_export.php.orig 2006-10-09 05:06:01 +0200
+++ poller_export.php 2007-01-01 20:28:52 +0100
@@@@ -25,8 +25,8 @@@@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
/* We are not talking to the browser */
Index: poller_reindex_hosts.php
--- poller_reindex_hosts.php.orig 2006-10-09 05:06:01 +0200
+++ poller_reindex_hosts.php 2007-01-01 20:29:09 +0100
@@@@ -25,8 +25,8 @@@@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
ini_set("max_execution_time", "0");
Index: rebuild_poller_cache.php
--- rebuild_poller_cache.php.orig 2006-10-09 05:06:01 +0200
+++ rebuild_poller_cache.php 2007-01-01 20:29:34 +0100
@@@@ -25,8 +25,8 @@@@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
$no_http_headers = true;
Index: script_server.php
--- script_server.php.orig 2006-10-09 05:06:01 +0200
+++ script_server.php 2007-01-01 20:27:32 +0100
@@@@ -26,9 +26,8 @@@@
$no_http_headers = true;
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("
This script is only meant to run at the command line.");
- exit(-1);
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("
This script is only meant to run at the command line.");
}
/* define STDOUT/STDIN file descriptors if not running under CLI */
@
1.1.2.3
log
@MFC: make up leeway for 2_STABLE by virtue of build-time results
@
text
@@