defend against XSS in Monitor Name
This commit is contained in:
parent
0f91797d85
commit
bc9137bd93
|
@ -25,12 +25,12 @@ $filterbar = ob_get_contents();
|
|||
ob_end_clean();
|
||||
|
||||
noCacheHeaders();
|
||||
xhtmlHeaders( __FILE__, translate('Console') );
|
||||
xhtmlHeaders( __FILE__, translate('Console'));
|
||||
|
||||
if ( isset($_REQUEST['minTime']) ) {
|
||||
$minTime = validHtmlStr($_REQUEST['minTime']);
|
||||
} else {
|
||||
$minTime = strftime('%FT%T',time() - (2*3600) );
|
||||
$minTime = strftime('%FT%T', time() - (2*3600));
|
||||
}
|
||||
if ( isset($_REQUEST['maxTime']) ) {
|
||||
$maxTime = validHtmlStr($_REQUEST['maxTime']);
|
||||
|
@ -47,13 +47,13 @@ $filter = array(
|
|||
),
|
||||
);
|
||||
if ( count($selected_monitor_ids) ) {
|
||||
$filter['Query']['terms'][] = (array('attr'=>'MonitorId', 'op'=>'IN', 'val'=>implode(',',$selected_monitor_ids), 'cnj'=>'and'));
|
||||
$filter['Query']['terms'][] = (array('attr'=>'MonitorId', 'op'=>'IN', 'val'=>implode(',', $selected_monitor_ids), 'cnj'=>'and'));
|
||||
} else if ( ( $group_id != 0 || isset($_SESSION['ServerId']) || isset($_SESSION['StorageId']) || isset($_SESSION['Status']) ) ) {
|
||||
# this should be redundant
|
||||
for ($i=0; $i < count($displayMonitors); $i++) {
|
||||
if ($i == '0') {
|
||||
for ( $i=0; $i < count($displayMonitors); $i++ ) {
|
||||
if ( $i == 0 ) {
|
||||
$filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'and', 'obr'=>'1');
|
||||
} else if ($i == (count($displayMonitors)-1)) {
|
||||
} else if ( $i == count($displayMonitors)-1 ) {
|
||||
$filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'or', 'cbr'=>'1');
|
||||
} else {
|
||||
$filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'or');
|
||||
|
@ -70,11 +70,11 @@ $eventsSql = 'SELECT *,
|
|||
FROM Events AS E
|
||||
WHERE 1 > 0
|
||||
';
|
||||
if ( ! empty($user['MonitorIds']) ) {
|
||||
if ( !empty($user['MonitorIds']) ) {
|
||||
$eventsSql .= ' AND MonitorId IN ('.$user['MonitorIds'].')';
|
||||
}
|
||||
if ( count($selected_monitor_ids) ) {
|
||||
$eventsSql .= ' AND MonitorId IN (' . implode(',',$selected_monitor_ids).')';
|
||||
$eventsSql .= ' AND MonitorId IN ('.implode(',', $selected_monitor_ids).')';
|
||||
}
|
||||
if ( isset($minTime) && isset($maxTime) ) {
|
||||
$eventsSql .= " AND EndTime > '" . $minTime . "' AND StartTime < '" . $maxTime . "'";
|
||||
|
@ -87,10 +87,10 @@ if ( !$result ) {
|
|||
return;
|
||||
}
|
||||
$EventsByMonitor = array();
|
||||
while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
|
||||
while ( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
|
||||
$Event = new ZM\Event($event);
|
||||
if ( ! isset($EventsByMonitor[$event['MonitorId']]) )
|
||||
$EventsByMonitor[$event['MonitorId']] = array( 'Events'=>array(), 'MinGap'=>0, 'MaxGap'=>0, 'FileMissing'=>array(), 'ZeroSize'=>array() );
|
||||
$EventsByMonitor[$event['MonitorId']] = array('Events'=>array(), 'MinGap'=>0, 'MaxGap'=>0, 'FileMissing'=>array(), 'ZeroSize'=>array());
|
||||
|
||||
if ( count($EventsByMonitor[$event['MonitorId']]['Events']) ) {
|
||||
$last_event = end($EventsByMonitor[$event['MonitorId']]['Events']);
|
||||
|
@ -103,7 +103,7 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
|
|||
$EventsByMonitor[$event['MonitorId']]['MaxGap'] = $gap;
|
||||
|
||||
} # end if has previous events
|
||||
if ( ! $Event->file_exists() ) {
|
||||
if ( !$Event->file_exists() ) {
|
||||
$EventsByMonitor[$event['MonitorId']]['FileMissing'][] = $Event;
|
||||
} else if ( ! $Event->file_size() ) {
|
||||
$EventsByMonitor[$event['MonitorId']]['ZeroSize'][] = $Event;
|
||||
|
@ -122,8 +122,8 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
|
|||
<?php echo $filterbar ?>
|
||||
<div id="DateTimeDiv">
|
||||
<label>Event Start Time</label>
|
||||
<input type="text" name="minTime" id="minTime" value="<?php echo preg_replace('/T/', ' ', $minTime ) ?>" oninput="this.form.submit();"/> to
|
||||
<input type="text" name="maxTime" id="maxTime" value="<?php echo preg_replace('/T/', ' ', $maxTime ) ?>" oninput="this.form.submit();"/>
|
||||
<input type="text" name="minTime" id="minTime" value="<?php echo preg_replace('/T/', ' ', $minTime) ?>" oninput="this.form.submit();"/> to
|
||||
<input type="text" name="maxTime" id="maxTime" value="<?php echo preg_replace('/T/', ' ', $maxTime) ?>" oninput="this.form.submit();"/>
|
||||
</div>
|
||||
</div><!--FilterBar-->
|
||||
|
||||
|
@ -145,10 +145,10 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
|
|||
</thead>
|
||||
<tbody>
|
||||
<?php
|
||||
for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
|
||||
for ( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
|
||||
$monitor = $displayMonitors[$monitor_i];
|
||||
$Monitor = new ZM\Monitor($monitor);
|
||||
$montagereview_link = "?view=montagereview&live=0&MonitorId=". $monitor['Id'] . '&minTime='.$minTime.'&maxTime='.$maxTime;
|
||||
$montagereview_link = '?view=montagereview&live=0&MonitorId='.$monitor['Id'].'&minTime='.$minTime.'&maxTime='.$maxTime;
|
||||
|
||||
$monitor_filter = addFilterTerm(
|
||||
$filter,
|
||||
|
@ -178,7 +178,7 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
|
|||
$FileMissing_filter = array(
|
||||
'Query' => array(
|
||||
'terms' => array(
|
||||
array('attr'=>'Id','op'=>'IN', 'val'=>implode(',',array_map(function($Event){return $Event->Id();},$FileMissing)))
|
||||
array('attr'=>'Id', 'op'=>'IN', 'val'=>implode(',', array_map(function($Event){return $Event->Id();}, $FileMissing)))
|
||||
)
|
||||
)
|
||||
);
|
||||
|
@ -188,7 +188,7 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
|
|||
$ZeroSize_filter = array(
|
||||
'Query' => array(
|
||||
'terms' => array(
|
||||
array('attr'=>'Id','op'=>'IN', 'val'=>implode(',',array_map(function($Event){return $Event->Id();},$ZeroSize)))
|
||||
array('attr'=>'Id', 'op'=>'IN', 'val'=>implode(',', array_map(function($Event){return $Event->Id();}, $ZeroSize)))
|
||||
)
|
||||
)
|
||||
);
|
||||
|
@ -198,27 +198,28 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
|
|||
<tr id="<?php echo 'monitor_id-'.$monitor['Id'] ?>" title="<?php echo $monitor['Id'] ?>">
|
||||
<td class="colId"><a href="<?php echo $montagereview_link ?>"><?php echo $monitor['Id'] ?></a></td>
|
||||
<td class="colName">
|
||||
<a href="<?php echo $montagereview_link ?>"><?php echo $monitor['Name'] ?></a><br/><div class="small text-nowrap text-muted">
|
||||
<a href="<?php echo $montagereview_link ?>"><?php echo validHtmlStr($monitor['Name']) ?></a><br/>
|
||||
<div class="small text-nowrap text-muted">
|
||||
<?php echo implode('<br/>',
|
||||
array_map(function($group_id){
|
||||
$Group = new ZM\Group($group_id);
|
||||
$Groups = $Group->Parents();
|
||||
array_push($Groups, $Group);
|
||||
return implode(' > ', array_map(function($Group){ return '<a href="?view=montagereview&GroupId='.$Group->Id().'">'.$Group->Name().'</a>'; }, $Groups ));
|
||||
}, $Monitor->GroupIds() ) );
|
||||
}, $Monitor->GroupIds()));
|
||||
?>
|
||||
</div></td>
|
||||
<td class="colServer"><?php echo $Monitor->Server()->Name()?></td>
|
||||
<td class="colServer"><?php echo validHtmlStr($Monitor->Server()->Name())?></td>
|
||||
<td class="colEvents"><a href="?view=<?php echo ZM_WEB_EVENTS_VIEW ?>&page=1<?php echo $monitor_filter['query'] ?>"><?php echo isset($EventsByMonitor[$Monitor->Id()])?count($EventsByMonitor[$Monitor->Id()]['Events']):0 ?></a></td>
|
||||
<td class="colFirstEvent"><?php echo $FirstEvent ? $FirstEvent->link_to($FirstEvent->Id().' at ' . $FirstEvent->StartTime()) : 'none'?></td>
|
||||
<td class="colLastEvent"><?php echo $LastEvent ? $LastEvent->link_to($LastEvent->Id().' at ' . $LastEvent->StartTime()) : 'none'?></td>
|
||||
<td class="colFirstEvent"><?php echo $FirstEvent ? $FirstEvent->link_to($FirstEvent->Id().' at '.$FirstEvent->StartTime()) : 'none'?></td>
|
||||
<td class="colLastEvent"><?php echo $LastEvent ? $LastEvent->link_to($LastEvent->Id().' at '.$LastEvent->StartTime()) : 'none'?></td>
|
||||
<td class="colMinGap"><?php echo $MinGap ?></td>
|
||||
<td class="colMaxGap"><?php echo $MaxGap ?></td>
|
||||
<td class="colFileMissing<?php echo count($FileMissing) ? ' errorText' : ''?>">
|
||||
<?php echo count($FileMissing) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW .'&page=1'.$FileMissing_filter['query'].'">'.count($FileMissing).'</a>' : '0' ?>
|
||||
<?php echo count($FileMissing) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW.'&page=1'.$FileMissing_filter['query'].'">'.count($FileMissing).'</a>' : '0' ?>
|
||||
</td>
|
||||
<td class="colZeroSize<?php echo count($ZeroSize) ? ' errorText' : ''?>">
|
||||
<?php echo count($ZeroSize) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW .'&page=1'.$ZeroSize_filter['query'].'">'.count($ZeroSize).'</a>' : '0' ?>
|
||||
<?php echo count($ZeroSize) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW.'&page=1'.$ZeroSize_filter['query'].'">'.count($ZeroSize).'</a>' : '0' ?>
|
||||
</td>
|
||||
</tr>
|
||||
<?php
|
||||
|
|
Loading…
Reference in New Issue