From 59cc65411f02c7e39a270fda3ecb4966d7b48d41 Mon Sep 17 00:00:00 2001
From: Matthew Noorenberghe <github@matthew.noorenberghe.com>
Date: Wed, 23 Jan 2019 19:40:38 -0800
Subject: [PATCH 1/2] plugin.php: Fix XSS and directory traversal bugs. Fixes
 #2436

This view seems like dead code so maybe it should be removed instead.
---
 web/skins/classic/views/plugin.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/web/skins/classic/views/plugin.php b/web/skins/classic/views/plugin.php
index 7b4cf85ca..814416058 100644
--- a/web/skins/classic/views/plugin.php
+++ b/web/skins/classic/views/plugin.php
@@ -36,7 +36,8 @@ if ( $zid > 0 ) {
    return;
 }
 $monitor = dbFetchMonitor ( $mid );
-$plugin = $_REQUEST['pl'];
+// Only allow certain filename characters (not including a period) to prevent directory traversal.
+$plugin = preg_replace('/[^-a-zA-Z0-9]/', '', $_REQUEST['pl']);
 
 $plugin_path = dirname(ZM_PLUGINS_CONFIG_PATH)."/".$plugin;
 
@@ -103,7 +104,7 @@ function pLang($name)
 <body>
   <div id="page">
     <div id="header">
-      <h2><?php echo translate('Monitor') ?> <?php echo $monitor['Name'] ?> - <?php echo translate('Zone') ?> <?php echo $newZone['Name'] ?> - <?php echo translate('Plugin') ?> <?php echo $plugin ?></h2>
+      <h2><?php echo translate('Monitor') ?> <?php echo $monitor['Name'] ?> - <?php echo translate('Zone') ?> <?php echo $newZone['Name'] ?> - <?php echo translate('Plugin') ?> <?php echo validHtmlStr($plugin) ?></h2>
     </div>
     <div id="content">
       <form name="pluginForm" id="pluginForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>">
@@ -111,7 +112,7 @@ function pLang($name)
         <input type="hidden" name="action" value="plugin"/>
         <input type="hidden" name="mid" value="<?php echo $mid ?>"/>
         <input type="hidden" name="zid" value="<?php echo $zid ?>"/>
-        <input type="hidden" name="pl" value="<?php echo $plugin ?>"/>
+        <input type="hidden" name="pl" value="<?php echo validHtmlStr($plugin) ?>"/>
 
         <div id="settingsPanel">
           <table id="pluginSettings" cellspacing="0">

From 47d8c9b066daeaded6f3f658555409e01bfc1ff7 Mon Sep 17 00:00:00 2001
From: Matthew Noorenberghe <github@matthew.noorenberghe.com>
Date: Wed, 23 Jan 2019 19:45:57 -0800
Subject: [PATCH 2/2] plugin.php: Remove undefined onclick function reference
 and enforce CSP

Also fix tag closing.
---
 web/includes/functions.php         | 1 +
 web/skins/classic/views/plugin.php | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/web/includes/functions.php b/web/includes/functions.php
index 77cd1ca47..c5c17e17d 100644
--- a/web/includes/functions.php
+++ b/web/includes/functions.php
@@ -55,6 +55,7 @@ function CSPHeaders($view, $nonce) {
     case 'log':
     case 'logout':
     case 'options':
+    case 'plugin':
     case 'privacy':
     case 'storage':
     case 'version': {
diff --git a/web/skins/classic/views/plugin.php b/web/skins/classic/views/plugin.php
index 814416058..4f3b4ccf2 100644
--- a/web/skins/classic/views/plugin.php
+++ b/web/skins/classic/views/plugin.php
@@ -144,8 +144,9 @@ foreach($pluginOptions as $name => $popt)
                <?php
             }
             ?>
-               </td>
                   </select>
+               </td>
+
          <?php
          break;
       case "text":
@@ -159,7 +160,7 @@ foreach($pluginOptions as $name => $popt)
 ?>
             </tbody>
           </table>
-          <input type="submit" id="submitBtn" name="submitBtn" value="<?php echo translate('Save') ?>" onclick="return saveChanges( this )"<?php if (!canEdit( 'Monitors' ) || (false && $selfIntersecting)) { ?> disabled="disabled"<?php } ?>/>
+          <input type="submit" id="submitBtn" name="submitBtn" value="<?php echo translate('Save') ?>" <?php if (!canEdit( 'Monitors' ) || (false && $selfIntersecting)) { ?> disabled="disabled"<?php } ?>/>
           <input type="button" value="<?php echo translate('Cancel') ?>" data-on-click="closeWindow"/>
         </div>
       </form>