From bc9137bd93d73eaf6b468ef242803c72ded2bbbf Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Fri, 10 Apr 2020 11:10:13 -0400 Subject: [PATCH] defend against XSS in Monitor Name --- .../classic/views/report_event_audit.php | 49 ++++++++++--------- 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/web/skins/classic/views/report_event_audit.php b/web/skins/classic/views/report_event_audit.php index f3f508623..6cafaf67e 100644 --- a/web/skins/classic/views/report_event_audit.php +++ b/web/skins/classic/views/report_event_audit.php @@ -25,12 +25,12 @@ $filterbar = ob_get_contents(); ob_end_clean(); noCacheHeaders(); -xhtmlHeaders( __FILE__, translate('Console') ); +xhtmlHeaders( __FILE__, translate('Console')); if ( isset($_REQUEST['minTime']) ) { $minTime = validHtmlStr($_REQUEST['minTime']); } else { - $minTime = strftime('%FT%T',time() - (2*3600) ); + $minTime = strftime('%FT%T', time() - (2*3600)); } if ( isset($_REQUEST['maxTime']) ) { $maxTime = validHtmlStr($_REQUEST['maxTime']); @@ -47,13 +47,13 @@ $filter = array( ), ); if ( count($selected_monitor_ids) ) { - $filter['Query']['terms'][] = (array('attr'=>'MonitorId', 'op'=>'IN', 'val'=>implode(',',$selected_monitor_ids), 'cnj'=>'and')); + $filter['Query']['terms'][] = (array('attr'=>'MonitorId', 'op'=>'IN', 'val'=>implode(',', $selected_monitor_ids), 'cnj'=>'and')); } else if ( ( $group_id != 0 || isset($_SESSION['ServerId']) || isset($_SESSION['StorageId']) || isset($_SESSION['Status']) ) ) { # this should be redundant - for ($i=0; $i < count($displayMonitors); $i++) { - if ($i == '0') { + for ( $i=0; $i < count($displayMonitors); $i++ ) { + if ( $i == 0 ) { $filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'and', 'obr'=>'1'); - } else if ($i == (count($displayMonitors)-1)) { + } else if ( $i == count($displayMonitors)-1 ) { $filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'or', 'cbr'=>'1'); } else { $filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'or'); @@ -70,11 +70,11 @@ $eventsSql = 'SELECT *, FROM Events AS E WHERE 1 > 0 '; -if ( ! empty($user['MonitorIds']) ) { +if ( !empty($user['MonitorIds']) ) { $eventsSql .= ' AND MonitorId IN ('.$user['MonitorIds'].')'; } if ( count($selected_monitor_ids) ) { - $eventsSql .= ' AND MonitorId IN (' . implode(',',$selected_monitor_ids).')'; + $eventsSql .= ' AND MonitorId IN ('.implode(',', $selected_monitor_ids).')'; } if ( isset($minTime) && isset($maxTime) ) { $eventsSql .= " AND EndTime > '" . $minTime . "' AND StartTime < '" . $maxTime . "'"; @@ -87,10 +87,10 @@ if ( !$result ) { return; } $EventsByMonitor = array(); -while( $event = $result->fetch(PDO::FETCH_ASSOC) ) { +while ( $event = $result->fetch(PDO::FETCH_ASSOC) ) { $Event = new ZM\Event($event); if ( ! isset($EventsByMonitor[$event['MonitorId']]) ) - $EventsByMonitor[$event['MonitorId']] = array( 'Events'=>array(), 'MinGap'=>0, 'MaxGap'=>0, 'FileMissing'=>array(), 'ZeroSize'=>array() ); + $EventsByMonitor[$event['MonitorId']] = array('Events'=>array(), 'MinGap'=>0, 'MaxGap'=>0, 'FileMissing'=>array(), 'ZeroSize'=>array()); if ( count($EventsByMonitor[$event['MonitorId']]['Events']) ) { $last_event = end($EventsByMonitor[$event['MonitorId']]['Events']); @@ -103,7 +103,7 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) { $EventsByMonitor[$event['MonitorId']]['MaxGap'] = $gap; } # end if has previous events - if ( ! $Event->file_exists() ) { + if ( !$Event->file_exists() ) { $EventsByMonitor[$event['MonitorId']]['FileMissing'][] = $Event; } else if ( ! $Event->file_size() ) { $EventsByMonitor[$event['MonitorId']]['ZeroSize'][] = $Event; @@ -122,8 +122,8 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
- to - + to +
@@ -145,10 +145,10 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) { array( 'terms' => array( - array('attr'=>'Id','op'=>'IN', 'val'=>implode(',',array_map(function($Event){return $Event->Id();},$FileMissing))) + array('attr'=>'Id', 'op'=>'IN', 'val'=>implode(',', array_map(function($Event){return $Event->Id();}, $FileMissing))) ) ) ); @@ -188,7 +188,7 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) { $ZeroSize_filter = array( 'Query' => array( 'terms' => array( - array('attr'=>'Id','op'=>'IN', 'val'=>implode(',',array_map(function($Event){return $Event->Id();},$ZeroSize))) + array('attr'=>'Id', 'op'=>'IN', 'val'=>implode(',', array_map(function($Event){return $Event->Id();}, $ZeroSize))) ) ) ); @@ -198,27 +198,28 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) { -
+
+
', array_map(function($group_id){ $Group = new ZM\Group($group_id); $Groups = $Group->Parents(); array_push($Groups, $Group); return implode(' > ', array_map(function($Group){ return ''.$Group->Name().''; }, $Groups )); - }, $Monitor->GroupIds() ) ); + }, $Monitor->GroupIds())); ?>
- Server()->Name()?> + Server()->Name())?> Id()])?count($EventsByMonitor[$Monitor->Id()]['Events']):0 ?> - link_to($FirstEvent->Id().' at ' . $FirstEvent->StartTime()) : 'none'?> - link_to($LastEvent->Id().' at ' . $LastEvent->StartTime()) : 'none'?> + link_to($FirstEvent->Id().' at '.$FirstEvent->StartTime()) : 'none'?> + link_to($LastEvent->Id().' at '.$LastEvent->StartTime()) : 'none'?> - '.count($FileMissing).'' : '0' ?> + '.count($FileMissing).'' : '0' ?> - '.count($ZeroSize).'' : '0' ?> + '.count($ZeroSize).'' : '0' ?>