138 lines
5.9 KiB
Diff
138 lines
5.9 KiB
Diff
|
diff -ruBbd cacti-0.8.6i/cmd.php cacti-0.8.6i-patch/cmd.php
|
||
|
--- cacti-0.8.6i/cmd.php 2006-10-09 00:06:00.000000000 -0400
|
||
|
+++ cacti-0.8.6i-patch/cmd.php 2007-01-01 12:27:15.328125000 -0500
|
||
|
@@ -26,7 +26,7 @@
|
||
|
*/
|
||
|
|
||
|
/* do NOT run this script through a web browser */
|
||
|
-if (!isset($_SERVER["argv"][0])) {
|
||
|
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
|
||
|
die("<br><strong>This script is only meant to run at the command line.</strong>");
|
||
|
}
|
||
|
|
||
|
@@ -70,6 +71,10 @@
|
||
|
$print_data_to_stdout = false;
|
||
|
if ($_SERVER["argc"] == "3") {
|
||
|
if ($_SERVER["argv"][1] <= $_SERVER["argv"][2]) {
|
||
|
+ /* address potential exploits */
|
||
|
+ input_validate_input_number($_SERVER["argv"][1]);
|
||
|
+ input_validate_input_number($_SERVER["argv"][2]);
|
||
|
+
|
||
|
$hosts = db_fetch_assoc("select * from host where (disabled = '' and " .
|
||
|
"id >= " .
|
||
|
$_SERVER["argv"][1] .
|
||
|
diff -ruBbd cacti-0.8.6i/copy_cacti_user.php cacti-0.8.6i-patch/copy_cacti_user.php
|
||
|
--- cacti-0.8.6i/copy_cacti_user.php 2006-10-09 00:06:00.000000000 -0400
|
||
|
+++ cacti-0.8.6i-patch/copy_cacti_user.php 2007-01-01 12:27:15.312500000 -0500
|
||
|
@@ -25,9 +25,10 @@
|
||
|
*/
|
||
|
|
||
|
/* do NOT run this script through a web browser */
|
||
|
-if (! isset($_SERVER["argv"][0])) {
|
||
|
- die("This script is only meant to run at the command line.\n");
|
||
|
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
|
||
|
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
|
||
|
}
|
||
|
+
|
||
|
if (empty($_SERVER["argv"][2])) {
|
||
|
die("\nSyntax:\n php copy_cacti_user.php <template user> <new user>\n\n");
|
||
|
}
|
||
|
diff -ruBbd cacti-0.8.6i/include/html/inc_timespan_settings.php cacti-0.8.6i-patch/include/html/inc_timespan_settings.php
|
||
|
--- cacti-0.8.6i/include/html/inc_timespan_settings.php 2006-10-09 00:05:58.000000000 -0400
|
||
|
+++ cacti-0.8.6i-patch/include/html/inc_timespan_settings.php 2007-01-02 11:55:45.953125000 -0500
|
||
|
@@ -24,6 +24,20 @@
|
||
|
+-------------------------------------------------------------------------+
|
||
|
*/
|
||
|
|
||
|
+/* ================= input validation ================= */
|
||
|
+input_validate_input_number(get_request_var_request("predefined_timespan"));
|
||
|
+/* ==================================================== */
|
||
|
+
|
||
|
+/* clean up date1 string */
|
||
|
+if (isset($_REQUEST["date1"])) {
|
||
|
+ $_REQUEST["date1"] = sanitize_search_string(get_request_var("date1"));
|
||
|
+}
|
||
|
+
|
||
|
+/* clean up date2 string */
|
||
|
+if (isset($_REQUEST["date2"])) {
|
||
|
+ $_REQUEST["date2"] = sanitize_search_string(get_request_var("date2"));
|
||
|
+}
|
||
|
+
|
||
|
/* initialize the timespan array */
|
||
|
$timespan = array();
|
||
|
|
||
|
diff -ruBbd cacti-0.8.6i/poller.php cacti-0.8.6i-patch/poller.php
|
||
|
--- cacti-0.8.6i/poller.php 2006-10-09 00:06:00.000000000 -0400
|
||
|
+++ cacti-0.8.6i-patch/poller.php 2007-01-01 12:27:15.328125000 -0500
|
||
|
@@ -26,7 +26,7 @@
|
||
|
*/
|
||
|
|
||
|
/* do NOT run this script through a web browser */
|
||
|
-if (!isset($_SERVER["argv"][0])) {
|
||
|
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
|
||
|
die("<br><strong>This script is only meant to run at the command line.</strong>");
|
||
|
}
|
||
|
|
||
|
diff -ruBbd cacti-0.8.6i/poller_commands.php cacti-0.8.6i-patch/poller_commands.php
|
||
|
--- cacti-0.8.6i/poller_commands.php 2006-10-09 00:06:00.000000000 -0400
|
||
|
+++ cacti-0.8.6i-patch/poller_commands.php 2007-01-01 12:27:15.328125000 -0500
|
||
|
@@ -27,7 +27,7 @@
|
||
|
define("MAX_RECACHE_RUNTIME", 296);
|
||
|
|
||
|
/* do NOT run this script through a web browser */
|
||
|
-if (!isset($_SERVER["argv"][0])) {
|
||
|
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
|
||
|
die("<br><strong>This script is only meant to run at the command line.</strong>");
|
||
|
}
|
||
|
|
||
|
diff -ruBbd cacti-0.8.6i/poller_export.php cacti-0.8.6i-patch/poller_export.php
|
||
|
--- cacti-0.8.6i/poller_export.php 2006-10-09 00:06:00.000000000 -0400
|
||
|
+++ cacti-0.8.6i-patch/poller_export.php 2007-01-01 12:27:15.328125000 -0500
|
||
|
@@ -25,7 +25,7 @@
|
||
|
*/
|
||
|
|
||
|
/* do NOT run this script through a web browser */
|
||
|
-if (!isset($_SERVER["argv"][0])) {
|
||
|
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
|
||
|
die("<br><strong>This script is only meant to run at the command line.</strong>");
|
||
|
}
|
||
|
|
||
|
diff -ruBbd cacti-0.8.6i/poller_reindex_hosts.php cacti-0.8.6i-patch/poller_reindex_hosts.php
|
||
|
--- cacti-0.8.6i/poller_reindex_hosts.php 2006-10-09 00:06:00.000000000 -0400
|
||
|
+++ cacti-0.8.6i-patch/poller_reindex_hosts.php 2007-01-01 12:27:15.328125000 -0500
|
||
|
@@ -25,7 +25,7 @@
|
||
|
*/
|
||
|
|
||
|
/* do NOT run this script through a web browser */
|
||
|
-if (!isset($_SERVER["argv"][0])) {
|
||
|
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
|
||
|
die("<br><strong>This script is only meant to run at the command line.</strong>");
|
||
|
}
|
||
|
|
||
|
diff -ruBbd cacti-0.8.6i/rebuild_poller_cache.php cacti-0.8.6i-patch/rebuild_poller_cache.php
|
||
|
--- cacti-0.8.6i/rebuild_poller_cache.php 2006-10-09 00:06:00.000000000 -0400
|
||
|
+++ cacti-0.8.6i-patch/rebuild_poller_cache.php 2007-01-01 12:27:15.312500000 -0500
|
||
|
@@ -25,7 +25,7 @@
|
||
|
*/
|
||
|
|
||
|
/* do NOT run this script through a web browser */
|
||
|
-if (!isset($_SERVER["argv"][0])) {
|
||
|
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
|
||
|
die("<br><strong>This script is only meant to run at the command line.</strong>");
|
||
|
}
|
||
|
|
||
|
diff -ruBbd cacti-0.8.6i/script_server.php cacti-0.8.6i-patch/script_server.php
|
||
|
--- cacti-0.8.6i/script_server.php 2006-10-09 00:06:00.000000000 -0400
|
||
|
+++ cacti-0.8.6i-patch/script_server.php 2007-01-01 12:27:15.312500000 -0500
|
||
|
@@ -26,9 +26,8 @@
|
||
|
$no_http_headers = true;
|
||
|
|
||
|
/* do NOT run this script through a web browser */
|
||
|
-if (!isset($_SERVER["argv"][0])) {
|
||
|
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
|
||
|
die("<br><strong>This script is only meant to run at the command line.</strong>");
|
||
|
- exit(-1);
|
||
|
}
|
||
|
|
||
|
/* define STDOUT/STDIN file descriptors if not running under CLI */
|