defend against XSS in Monitor Name

This commit is contained in:
Isaac Connor 2020-04-10 11:10:13 -04:00
parent 0f91797d85
commit bc9137bd93
1 changed files with 25 additions and 24 deletions

View File

@ -25,12 +25,12 @@ $filterbar = ob_get_contents();
ob_end_clean();
noCacheHeaders();
xhtmlHeaders( __FILE__, translate('Console') );
xhtmlHeaders( __FILE__, translate('Console'));
if ( isset($_REQUEST['minTime']) ) {
$minTime = validHtmlStr($_REQUEST['minTime']);
} else {
$minTime = strftime('%FT%T',time() - (2*3600) );
$minTime = strftime('%FT%T', time() - (2*3600));
}
if ( isset($_REQUEST['maxTime']) ) {
$maxTime = validHtmlStr($_REQUEST['maxTime']);
@ -47,13 +47,13 @@ $filter = array(
),
);
if ( count($selected_monitor_ids) ) {
$filter['Query']['terms'][] = (array('attr'=>'MonitorId', 'op'=>'IN', 'val'=>implode(',',$selected_monitor_ids), 'cnj'=>'and'));
$filter['Query']['terms'][] = (array('attr'=>'MonitorId', 'op'=>'IN', 'val'=>implode(',', $selected_monitor_ids), 'cnj'=>'and'));
} else if ( ( $group_id != 0 || isset($_SESSION['ServerId']) || isset($_SESSION['StorageId']) || isset($_SESSION['Status']) ) ) {
# this should be redundant
for ($i=0; $i < count($displayMonitors); $i++) {
if ($i == '0') {
for ( $i=0; $i < count($displayMonitors); $i++ ) {
if ( $i == 0 ) {
$filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'and', 'obr'=>'1');
} else if ($i == (count($displayMonitors)-1)) {
} else if ( $i == count($displayMonitors)-1 ) {
$filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'or', 'cbr'=>'1');
} else {
$filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'or');
@ -70,11 +70,11 @@ $eventsSql = 'SELECT *,
FROM Events AS E
WHERE 1 > 0
';
if ( ! empty($user['MonitorIds']) ) {
if ( !empty($user['MonitorIds']) ) {
$eventsSql .= ' AND MonitorId IN ('.$user['MonitorIds'].')';
}
if ( count($selected_monitor_ids) ) {
$eventsSql .= ' AND MonitorId IN (' . implode(',',$selected_monitor_ids).')';
$eventsSql .= ' AND MonitorId IN ('.implode(',', $selected_monitor_ids).')';
}
if ( isset($minTime) && isset($maxTime) ) {
$eventsSql .= " AND EndTime > '" . $minTime . "' AND StartTime < '" . $maxTime . "'";
@ -87,10 +87,10 @@ if ( !$result ) {
return;
}
$EventsByMonitor = array();
while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
while ( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
$Event = new ZM\Event($event);
if ( ! isset($EventsByMonitor[$event['MonitorId']]) )
$EventsByMonitor[$event['MonitorId']] = array( 'Events'=>array(), 'MinGap'=>0, 'MaxGap'=>0, 'FileMissing'=>array(), 'ZeroSize'=>array() );
$EventsByMonitor[$event['MonitorId']] = array('Events'=>array(), 'MinGap'=>0, 'MaxGap'=>0, 'FileMissing'=>array(), 'ZeroSize'=>array());
if ( count($EventsByMonitor[$event['MonitorId']]['Events']) ) {
$last_event = end($EventsByMonitor[$event['MonitorId']]['Events']);
@ -103,7 +103,7 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
$EventsByMonitor[$event['MonitorId']]['MaxGap'] = $gap;
} # end if has previous events
if ( ! $Event->file_exists() ) {
if ( !$Event->file_exists() ) {
$EventsByMonitor[$event['MonitorId']]['FileMissing'][] = $Event;
} else if ( ! $Event->file_size() ) {
$EventsByMonitor[$event['MonitorId']]['ZeroSize'][] = $Event;
@ -122,8 +122,8 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
<?php echo $filterbar ?>
<div id="DateTimeDiv">
<label>Event Start Time</label>
<input type="text" name="minTime" id="minTime" value="<?php echo preg_replace('/T/', ' ', $minTime ) ?>" oninput="this.form.submit();"/> to
<input type="text" name="maxTime" id="maxTime" value="<?php echo preg_replace('/T/', ' ', $maxTime ) ?>" oninput="this.form.submit();"/>
<input type="text" name="minTime" id="minTime" value="<?php echo preg_replace('/T/', ' ', $minTime) ?>" oninput="this.form.submit();"/> to
<input type="text" name="maxTime" id="maxTime" value="<?php echo preg_replace('/T/', ' ', $maxTime) ?>" oninput="this.form.submit();"/>
</div>
</div><!--FilterBar-->
@ -145,10 +145,10 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
</thead>
<tbody>
<?php
for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
for ( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
$monitor = $displayMonitors[$monitor_i];
$Monitor = new ZM\Monitor($monitor);
$montagereview_link = "?view=montagereview&live=0&MonitorId=". $monitor['Id'] . '&minTime='.$minTime.'&maxTime='.$maxTime;
$montagereview_link = '?view=montagereview&live=0&MonitorId='.$monitor['Id'].'&minTime='.$minTime.'&maxTime='.$maxTime;
$monitor_filter = addFilterTerm(
$filter,
@ -178,7 +178,7 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
$FileMissing_filter = array(
'Query' => array(
'terms' => array(
array('attr'=>'Id','op'=>'IN', 'val'=>implode(',',array_map(function($Event){return $Event->Id();},$FileMissing)))
array('attr'=>'Id', 'op'=>'IN', 'val'=>implode(',', array_map(function($Event){return $Event->Id();}, $FileMissing)))
)
)
);
@ -188,7 +188,7 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
$ZeroSize_filter = array(
'Query' => array(
'terms' => array(
array('attr'=>'Id','op'=>'IN', 'val'=>implode(',',array_map(function($Event){return $Event->Id();},$ZeroSize)))
array('attr'=>'Id', 'op'=>'IN', 'val'=>implode(',', array_map(function($Event){return $Event->Id();}, $ZeroSize)))
)
)
);
@ -198,27 +198,28 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
<tr id="<?php echo 'monitor_id-'.$monitor['Id'] ?>" title="<?php echo $monitor['Id'] ?>">
<td class="colId"><a href="<?php echo $montagereview_link ?>"><?php echo $monitor['Id'] ?></a></td>
<td class="colName">
<a href="<?php echo $montagereview_link ?>"><?php echo $monitor['Name'] ?></a><br/><div class="small text-nowrap text-muted">
<a href="<?php echo $montagereview_link ?>"><?php echo validHtmlStr($monitor['Name']) ?></a><br/>
<div class="small text-nowrap text-muted">
<?php echo implode('<br/>',
array_map(function($group_id){
$Group = new ZM\Group($group_id);
$Groups = $Group->Parents();
array_push($Groups, $Group);
return implode(' &gt; ', array_map(function($Group){ return '<a href="?view=montagereview&GroupId='.$Group->Id().'">'.$Group->Name().'</a>'; }, $Groups ));
}, $Monitor->GroupIds() ) );
}, $Monitor->GroupIds()));
?>
</div></td>
<td class="colServer"><?php echo $Monitor->Server()->Name()?></td>
<td class="colServer"><?php echo validHtmlStr($Monitor->Server()->Name())?></td>
<td class="colEvents"><a href="?view=<?php echo ZM_WEB_EVENTS_VIEW ?>&amp;page=1<?php echo $monitor_filter['query'] ?>"><?php echo isset($EventsByMonitor[$Monitor->Id()])?count($EventsByMonitor[$Monitor->Id()]['Events']):0 ?></a></td>
<td class="colFirstEvent"><?php echo $FirstEvent ? $FirstEvent->link_to($FirstEvent->Id().' at ' . $FirstEvent->StartTime()) : 'none'?></td>
<td class="colLastEvent"><?php echo $LastEvent ? $LastEvent->link_to($LastEvent->Id().' at ' . $LastEvent->StartTime()) : 'none'?></td>
<td class="colFirstEvent"><?php echo $FirstEvent ? $FirstEvent->link_to($FirstEvent->Id().' at '.$FirstEvent->StartTime()) : 'none'?></td>
<td class="colLastEvent"><?php echo $LastEvent ? $LastEvent->link_to($LastEvent->Id().' at '.$LastEvent->StartTime()) : 'none'?></td>
<td class="colMinGap"><?php echo $MinGap ?></td>
<td class="colMaxGap"><?php echo $MaxGap ?></td>
<td class="colFileMissing<?php echo count($FileMissing) ? ' errorText' : ''?>">
<?php echo count($FileMissing) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW .'&amp;page=1'.$FileMissing_filter['query'].'">'.count($FileMissing).'</a>' : '0' ?>
<?php echo count($FileMissing) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW.'&amp;page=1'.$FileMissing_filter['query'].'">'.count($FileMissing).'</a>' : '0' ?>
</td>
<td class="colZeroSize<?php echo count($ZeroSize) ? ' errorText' : ''?>">
<?php echo count($ZeroSize) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW .'&amp;page=1'.$ZeroSize_filter['query'].'">'.count($ZeroSize).'</a>' : '0' ?>
<?php echo count($ZeroSize) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW.'&amp;page=1'.$ZeroSize_filter['query'].'">'.count($ZeroSize).'</a>' : '0' ?>
</td>
</tr>
<?php