rpms/cacti
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Too many unpatched CVEs, and upstream is close to dead. See post on fedora-devel / epel-announce.

Browse Source
This commit is contained in:
Ken Dreyer 2014-10-29 09:21:43 -06:00
parent 388543ca99
commit 59e6571194
20 changed files with 1 additions and 9756 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.gitignore vendored
View File

@ -1,7 +0,0 @@
cacti-0.8.7g.tar.gz
/cacti-0.8.7h.tar.gz
/cacti-0.8.7i.tar.gz
/cacti-0.8.8.tar.gz
/cacti-0.8.8a.tar.gz
/cacti-0.8.8a-notreeview.tar.gz
/cacti-0.8.8b-notreeview.tar.gz

8166
cacti-0.8.8a-legal.patch
View File

File diff suppressed because one or more lines are too long

607
cacti-0.8.8a-replace_treeview_by_jquery.jstree.patch
View File

@ -1,607 +0,0 @@
Description: treeview has a license issue, cacti upstream is going to replace it
with functionality from jquery.jstree.
.
This patch implements the changes needed for an upstream layout where the
necessary code is in cacti/include/js/jquery/ but the code in that path is
not included in this patch.
.
The necessary jquery scripts and theme info can come from cacti upstream and from
debian packages (libjs-jquery and libjs-jquery-cookie) The version used when
creating this patch can be found here:
http://svn.cacti.net/viewvc/cacti/branches/0.8.9/include/js/jquery/jquery.js?pathrev=7324
http://svn.cacti.net/viewvc/cacti/branches/0.8.9/include/js/jquery/jquery.jstree.js?pathrev=7324
http://svn.cacti.net/viewvc/cacti/branches/main/include/js/jquery/themes/default/?pathrev=7324
http://anonscm.debian.org/gitweb/?p=pkg-javascript/jquery-goodies.git;a=blob;f=cookie/jquery.cookie.js;hb=c50e1a2d599cb48893e8d77470e71e83e44dfdb5
.
This patch does NOT implement the changes needed for the Debian package of
cacti.
.
This patch was updated with the patch from Jan Zalesak <zalesak@jaw.cz> in
http://bugs.debian.org/702690 which was further improved to also cover
lib/graph_export.php and to keep tag alignment consistent.
Bug: http://bugs.cacti.net/view.php?id=2228
Bug-Debian: http://bugs.debian.org/679980
Author: Paul Gevers <elbrus@debian.org>
Date: Sun, 31 Mar 2013 11:59:05 +0200
--- a/include/top_graph_header.php
+++ b/include/top_graph_header.php
@@ -84,8 +84,9 @@
<link href="<?php echo $config['url_path']; ?>include/main.css" type="text/css" rel="stylesheet">
<link href="<?php echo $config['url_path']; ?>images/favicon.ico" rel="shortcut icon"/>
<script type="text/javascript" src="<?php echo $config['url_path']; ?>include/layout.js"></script>
- <script type="text/javascript" src="<?php echo $config['url_path']; ?>include/treeview/ua.js"></script>
- <script type="text/javascript" src="<?php echo $config['url_path']; ?>include/treeview/ftiens4.js"></script>
+ <script type="text/javascript" src="<?php echo $config['url_path']; ?>include/js/jquery/jquery.js" language="javascript"></script>
+ <script type="text/javascript" src="<?php echo $config['url_path']; ?>include/js/jquery/jquery.cookie.js" language="javascript"></script>
+ <script type="text/javascript" src="<?php echo $config['url_path']; ?>include/js/jquery/jquery.jstree.js"></script>
<script type="text/javascript" src="<?php echo $config['url_path']; ?>include/jscalendar/calendar.js"></script>
<script type="text/javascript" src="<?php echo $config['url_path']; ?>include/jscalendar/lang/calendar-en.js"></script>
<script type="text/javascript" src="<?php echo $config['url_path']; ?>include/jscalendar/calendar-setup.js"></script>
@@ -178,7 +179,6 @@
<td valign="top" style="padding: 5px; border-right: #aaaaaa 1px solid;background-repeat:repeat-y;background-color:#efefef;" bgcolor='#efefef' width='<?php print htmlspecialchars(read_graph_config_option("default_dual_pane_width"));?>' class='noprint'>
<table border=0 cellpadding=0 cellspacing=0><tr><td><a style="font-size:7pt;text-decoration:none;color:silver" href="http://www.treemenu.net/" target=_blank></a></td></tr></table>
<?php grow_dhtml_trees(); ?>
- <script type="text/javascript">initializeDocument();</script>
<?php if (isset($_GET["select_first"])) { ?>
<script type="text/javascript">
--- a/lib/graph_export.php
+++ b/lib/graph_export.php
@@ -1365,15 +1365,6 @@
/* create the treeview representation for the html data */
grow_dhtml_trees_export($fp,$tree_id);
- fwrite($fp,"<script type='text/javascript'>initializeDocument();</script>\n");
- fwrite($fp,"<script type='text/javascript'>\n");
- fwrite($fp,"var obj;\n");
- fwrite($fp,"obj = findObj(1);\n");
- fwrite($fp,"if (!obj.isOpen) {\n");
- fwrite($fp,"clickOnNode(1);\n");
- fwrite($fp,"}\n");
- fwrite($fp,"clickOnLink(2,'','main');\n");
- fwrite($fp,"</script>\n");
fwrite($fp,"</td>\n");
fwrite($fp,"<td valign='top'>\n");
}
@@ -1383,16 +1374,7 @@
include_once($config["library_path"] . "/tree.php");
include_once($config["library_path"] . "/data_query.php");
- fwrite($fp, "<script type='text/javascript'>\n");
- fwrite($fp, "<!--
- USETEXTLINKS = 1
- STARTALLOPEN = 0
- USEFRAMES = 0
- USEICONS = 0
- WRAPTEXT = 1
- ICONPATH = 'treeview/'
- PERSERVESTATE = 1
- HIGHLIGHT = 1\n");
+ fwrite($fp, "<div id=\"jtree\">\n");
if (read_config_option("export_tree_isolation") == "off") {
$dhtml_tree_base = 0;
@@ -1413,9 +1395,34 @@
}
}
- fwrite($fp,"foldersTree.treeID = \"t2\"
- //-->\n
- </script>\n");
+ fwrite($fp, "</div>\n");
+ fwrite($fp, "<script type=\"text/javascript\">\n");
+ fwrite($fp, "$(function () {
+ $(\"#jtree\")
+ .jstree({
+ \"plugins\" : [\"ui\",\"themes\",\"html_data\",\"cookies\"],
+ \"themes\" : {\"icons\" : false,
+ \"url\" : \"./js/style.css\"},
+ \"cookies\" : {
+ \"save_opened\" : \"Cacti_jstree_open\",
+ \"save_selected\" : \"Cacti_jstree_select\"
+ }
+
+ })
+
+ // Make sure that the nodes are actually used as links
+ // We need reselect to prevent endless loops
+ // https://groups.google.com/d/topic/jstree/j6XNq9hQdeA/discussion
+ .bind(\"reselect.jstree\", function (e, data) {
+ data.inst.get_container().bind(\"select_node.jstree\", function (e, data) {
+ // data.rstl.obj is the object that was selected.
+ document.location.href = data.rslt.obj.children(\"a\").attr(\"href\");
+ });
+ });
+
+});\n");
+ fwrite($fp, "</script>\n");
+
}
/* get_graph_tree_array_export - returns a list of graph trees taking permissions into account if
@@ -1478,8 +1485,7 @@
$dhtml_tree = array();
$dhtml_tree[0] = $start;
$dhtml_tree[1] = read_graph_config_option("expand_hosts");
- $dhtml_tree[2] = "foldersTree = gFld(\"\", \"\")\n";
- $i = 2;
+ $i = 1;
$tree_list = get_graph_tree_array_export();
@@ -1499,7 +1505,6 @@
if (((read_config_option("export_tree_isolation") == "on") && ($tree_id == $tree["id"])) ||
(read_config_option("export_tree_isolation") == "off")) {
- $i++;
$hier_sql = "SELECT DISTINCT
graph_tree_items.id,
@@ -1522,19 +1527,53 @@
$dhtml_tree_id = 0;
if (sizeof($hierarchy) > 0) {
+ $last_tier = 1;
+ $openli = false;
+ $lasthost = false;
+ $opentree = false;
foreach ($hierarchy as $leaf) {
if ($dhtml_tree_id <> $tree["id"]) {
- $dhtml_tree[$i] = "ou0 = insFld(foldersTree, gFld(\"" . get_tree_name($tree["id"]) . "\", \"" . clean_up_export_name(get_tree_name($tree["id"])) . "_leaf.html\"))\n";
+ if ($opentree) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t</ul>\n\t\t</li>\n\t</ul>\n";
+ }
+ $i++;
+ $clean_id = clean_up_export_name(get_tree_name($tree["id"]));
+ $dhtml_tree[$i] = "\t<ul>\n\t\t<li id=\"" . $clean_id . "\"><a href=\"" . $clean_id . "_leaf.html\">" . get_tree_name($tree["id"]) . "</a>\n\t\t\t<ul>\n";
+ $opentree = true;
}
$dhtml_tree_id = $tree["id"];
- $i++;
$tier = tree_tier($leaf["order_key"]);
if ($leaf["host_id"] > 0) { //It's a host
- $dhtml_tree[$i] = "ou" . ($tier) . " = insFld(ou" . ($tier-1) . ", gFld(\"Host: " . $leaf["hostname"] . "\", \"" . clean_up_export_name($leaf["hostname"] . "_" . $leaf["id"]) . ".html\"))\n";
+ if ($tier > $last_tier) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t<ul>\n";
+ } elseif ($tier < $last_tier) {
+ if (!$lasthost) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t</li>\n";
+ }
+ for ($x = $tier; $x < $last_tier; $x++) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t</ul>\n\t\t\t\t</li>\n";
+ $openli = false;
+ }
+ } elseif ($openli && !$lasthost) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t</li>\n";
+ $openli = false;
+ }
+ $last_tier = $tier;
+ $lasthost = true;
+ $i++;
+ $clean_id = clean_up_export_name($leaf["hostname"] . "_" . $leaf["id"]);
+ $dhtml_tree[$i] = "\t\t\t\t<li id=\"" . $clean_id . "\"><a href=\"" . $clean_id . ".html\">Host: " . htmlspecialchars($leaf["hostname"]) . "</a>\n";
if (read_config_option("export_tree_expand_hosts") == "on") {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t<ul>\n";
if ($leaf["host_grouping_type"] == HOST_GROUPING_GRAPH_TEMPLATE) {
$graph_templates = db_fetch_assoc("SELECT
graph_templates.id,
@@ -1552,7 +1591,8 @@
if (sizeof($graph_templates) > 0) {
foreach ($graph_templates as $graph_template) {
$i++;
- $dhtml_tree[$i] = "ou" . ($tier+1) . " = insFld(ou" . ($tier) . ", gFld(\" " . $graph_template["name"] . "\", \"" . clean_up_export_name($leaf["hostname"] . "_gt_" . $leaf["id"]) . "_" . $graph_template["id"] . ".html\"))\n";
+ $clean_id = clean_up_export_name($leaf["hostname"] . "_gt_" . $leaf["id"] . "_" . $graph_template["id"]);
+ $dhtml_tree[$i] = "\t\t\t\t\t\t<li id=\"" . $clean_id . "\"><a href=\"" . $clean_id . ".html\">" . htmlspecialchars($graph_template["name"]) . "</a></li>\n";
}
}
}else if ($leaf["host_grouping_type"] == HOST_GROUPING_DATA_QUERY_INDEX) {
@@ -1567,36 +1607,77 @@
array_push($data_queries, array(
"id" => "0",
- "name" => "Graph Template Based"
+ "name" => "Non Query Based"
));
if (sizeof($data_queries) > 0) {
- foreach ($data_queries as $data_query) {
- $i++;
-
- $dhtml_tree[$i] = "ou" . ($tier+1) . " = insFld(ou" . ($tier) . ", gFld(\" " . $data_query["name"] . "\", \"" . clean_up_export_name($leaf["hostname"] . "_dq_" . $leaf["title"] . "_" . $leaf["id"]) . "_" . $data_query["id"] . ".html\"))\n";
+ foreach ($data_queries as $data_query) {
+ $i++;
+ $clean_id = clean_up_export_name($leaf["hostname"] . "_dq_" . $leaf["title"] . "_" . $leaf["id"] . "_" . $data_query["id"]);
+ $dhtml_tree[$i] = "\t\t\t\t\t\t<li id=\"" . $clean_id . "\"><a href=\"" . $clean_id . ".html\">" . htmlspecialchars($data_query["name"]) . "</a>\n";
- /* fetch a list of field names that are sorted by the preferred sort field */
- $sort_field_data = get_formatted_data_query_indexes($leaf["host_id"], $data_query["id"]);
+ /* fetch a list of field names that are sorted by the preferred sort field */
+ $sort_field_data = get_formatted_data_query_indexes($leaf["host_id"], $data_query["id"]);
- if ($data_query["id"] > 0) {
- while (list($snmp_index, $sort_field_value) = each($sort_field_data)) {
+ if ($data_query["id"] > 0) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t\t\t<ul>\n";
+ while (list($snmp_index, $sort_field_value) = each($sort_field_data)) {
+ $i++;
+ $clean_id = clean_up_export_name($leaf["hostname"] . "_dqi_" . $leaf["id"] . "_" . $data_query["id"] . "_" . $snmp_index);
+ $dhtml_tree[$i] = "\t\t\t\t\t\t\t\t<li id=\"" . $clean_id . "\"><a href=\"" . $clean_id . ".html\">" . htmlspecialchars($sort_field_value) . "</a></li>\n";
+ }
$i++;
- $dhtml_tree[$i] = "ou" . ($tier+2) . " = insFld(ou" . ($tier+1) . ", gFld(\" " . $sort_field_value . "\", \"" . clean_up_export_name($leaf["hostname"] . "_dqi_" . $leaf["title"] . "_" . $leaf["id"]) . "_" . $data_query["id"] . "_" . $snmp_index . ".html\"))\n";
+ $dhtml_tree[$i] = "\t\t\t\t\t\t\t</ul>\n";
}
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t\t</li>\n";
}
}
- }
}
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t</ul>\n";
}
- }else {
- $dhtml_tree[$i] = "ou" . ($tier) . " = insFld(ou" . ($tier-1) . ", gFld(\"" . $leaf["title"] . "\", \"" . clean_up_export_name(get_tree_name($tree["id"]) . "_" . $leaf["title"] . "_" . $leaf["id"]) . "_leaf.html\"))\n";
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t</li>\n";
+ }else { //It's not a host
+ if ($tier > $last_tier) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t<ul>\n";
+ } elseif ($tier < $last_tier) {
+ if (!$lasthost) {
+ $i++;
+ $dhtml_tree[$i] = "</li>\n";
+ }
+ for ($x = $tier; $x < $last_tier; $x++) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t</ul>\n\t\t\t\t</li>\n";
+ $openli = false;
+ }
+ } elseif ($openli && !$lasthost) {
+ $i++;
+ $dhtml_tree[$i] = "</li>\n";
+ $openli = false;
+ }
+ $last_tier = $tier;
+ $i++;
+ $clean_id = clean_up_export_name(get_tree_name($tree["id"]) . "_" . $leaf["title"] . "_" . $leaf["id"]);
+ $dhtml_tree[$i] = "\t\t\t\t<li id=\"" . $clean_id . "\"><a href=\"" . $clean_id . "_leaf.html\">" . htmlspecialchars($leaf["title"]) . "</a>\n";
+ $openli = true;
+ $lasthost = false;
}
}
+ for ($x = $last_tier; $x > 1; $x--) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t</ul>\n\t\t\t\t</li>\n";
+ }
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t</ul>\n\t\t</li>\n\t</ul>\n";
}else{
if ($dhtml_tree_id <> $tree["id"]) {
- $dhtml_tree[$i] = "ou0 = insFld(foldersTree, gFld(\"" . get_tree_name($tree["id"]) . "\", \"" . clean_up_export_name(get_tree_name($tree["id"])) . "_leaf.html\"))\n";
$i++;
+ $clean_id = clean_up_export_name(get_tree_name($tree["id"]));
+ $dhtml_tree[$i] = "\t<ul>\n\t\t<li id=\"" . $clean_id . "_leaf\"><a href=\"" . $clean_id . "_leaf.html\">" . get_tree_name($tree["id"]) . "</a></li>\n\t</ul>";
}
}
}
@@ -1612,10 +1693,10 @@
$dir - the export directory where graphs will either be staged or located.
*/
function create_export_directory_structure($cacti_root_path, $dir) {
- /* create the treeview sub-directory */
- if (!is_dir("$dir/treeview")) {
- if (!mkdir("$dir/treeview", 0755)) {
- export_fatal("Create directory '" . $dir . "/treeview' failed. Can not continue");
+ /* create the jquery sub-directory */
+ if (!is_dir("$dir/js")) {
+ if (!mkdir("$dir/js", 0755)) {
+ export_fatal("Create directory '" . $dir . "/js' failed. Can not continue");
}
}
@@ -1626,8 +1707,6 @@
}
}
- $treeview_dir = $dir . "/treeview";
-
/* css */
copy("$cacti_root_path/include/main.css", "$dir/main.css");
@@ -1639,18 +1718,15 @@
copy("$cacti_root_path/images/shadow_gray.gif", "$dir/shadow_gray.gif");
/* java scripts for the tree */
- copy("$cacti_root_path/include/treeview/ftiens4_export.js", "$treeview_dir/ftiens4.js");
- copy("$cacti_root_path/include/treeview/ua.js", "$treeview_dir/ua.js");
-
- /* images for the tree */
- copy("$cacti_root_path/include/treeview/ftv2blank.gif", "$treeview_dir/ftv2blank.gif");
- copy("$cacti_root_path/include/treeview/ftv2lastnode.gif", "$treeview_dir/ftv2lastnode.gif");
- copy("$cacti_root_path/include/treeview/ftv2mlastnode.gif", "$treeview_dir/ftv2mlastnode.gif");
- copy("$cacti_root_path/include/treeview/ftv2mnode.gif", "$treeview_dir/ftv2mnode.gif");
- copy("$cacti_root_path/include/treeview/ftv2node.gif", "$treeview_dir/ftv2node.gif");
- copy("$cacti_root_path/include/treeview/ftv2plastnode.gif", "$treeview_dir/ftv2plastnode.gif");
- copy("$cacti_root_path/include/treeview/ftv2pnode.gif", "$treeview_dir/ftv2pnode.gif");
- copy("$cacti_root_path/include/treeview/ftv2vertline.gif", "$treeview_dir/ftv2vertline.gif");
+ copy("$cacti_root_path/include/js/jquery/jquery.js", "$dir/js/jquery.js");
+ copy("$cacti_root_path/include/js/jquery/jquery.jstree.js", "$dir/js/jquery.jstree.js");
+ copy("$cacti_root_path/include/js/jquery/jquery.cookie.js", "$dir/js/jquery.cookie.js");
+
+ /* theme info for java scripts */
+ copy("$cacti_root_path/include/js/jquery/themes/default/style.css", "$dir/js/style.css");
+ copy("$cacti_root_path/include/js/jquery/themes/default/d.png", "$dir/js/d.png");
+ copy("$cacti_root_path/include/js/jquery/themes/default/d.gif", "$dir/js/d.gif");
+ copy("$cacti_root_path/include/js/jquery/themes/default/throbber.gif", "$dir/js/throbber.gif");
}
function get_host_description($host_id) {
@@ -1738,8 +1814,9 @@
<meta http-equiv=refresh content='300'; url='index.html'>
<meta http-equiv=Pragma content=no-cache>
<meta http-equiv=cache-control content=no-cache>
- <script type=\"text/javascript\" src=\"./treeview/ua.js\"></script>
- <script type=\"text/javascript\" src=\"./treeview/ftiens4.js\"></script>
+ <script type=\"text/javascript\" src=\"./js/jquery.js\" language=\"javascript\"></script>
+ <script type=\"text/javascript\" src=\"./js/jquery.cookie.js\" language=\"javascript\"></script>
+ <script type=\"text/javascript\" src=\"./js/jquery.jstree.js\" language=\"javascript\"></script>
</head>
<body>
<table style='width:100%;height:100%;' cellspacing='0' cellpadding='0'>
--- a/lib/html_tree.php
+++ b/lib/html_tree.php
@@ -495,17 +495,9 @@
include_once($config["library_path"] . "/data_query.php");
?>
- <script type="text/javascript">
- <!--
- USETEXTLINKS = 1
- STARTALLOPEN = 0
- USEFRAMES = 0
- USEICONS = 0
- WRAPTEXT = 1
- PERSERVESTATE = 1
- HIGHLIGHT = 1
<?php
/* get current time */
+/* Probably not needed anymore as jstree uses jquery.cookies
list($micro,$seconds) = explode(" ", microtime());
$current_time = $seconds + $micro;
$expand_hosts = read_graph_config_option("expand_hosts");
@@ -522,6 +514,8 @@
$dhtml_tree = $_SESSION['dhtml_tree'];
}
}
+*/
+ $dhtml_tree = create_dhtml_tree();
$total_tree_items = sizeof($dhtml_tree) - 1;
@@ -529,8 +523,31 @@
print $dhtml_tree[$i];
}
?>
- //-->
- </script>
+<script type="text/javascript">
+$(function () {
+ $("#jtree")
+ .jstree({
+ "plugins" : ["ui","themes","html_data","cookies"],
+ "themes" : {"icons" : false,
+ "url" : "<?php echo $config['url_path']; ?>include/js/jquery/themes/default/style.css"},
+ "cookies" : {
+ "save_opened" : "Cacti_jstree_open",
+ "save_selected" : "Cacti_jstree_select"
+ }
+ })
+
+ // Make sure that the nodes are actually used as links
+ // We need reselect to prevent endless loops
+ // https://groups.google.com/d/topic/jstree/j6XNq9hQdeA/discussion
+ .bind("reselect.jstree", function (e, data) {
+ data.inst.get_container().bind("select_node.jstree", function (e, data) {
+ // data.rstl.obj is the object that was selected.
+ document.location.href = data.rslt.obj.children("a").attr("href");
+ });
+ });
+
+});
+</script>
<?php
}
@@ -543,9 +560,8 @@
$dhtml_tree[0] = $start;
$dhtml_tree[1] = read_graph_config_option("expand_hosts");
- $dhtml_tree[2] = "foldersTree = gFld(\"\", \"\")\n";
- $dhtml_tree[3] = "foldersTree.xID = \"root\"\n";
- $i = 3;
+ $dhtml_tree[2] = "\n<div id=\"jtree\">\n";
+ $i = 2;
$tree_list = get_graph_tree_array();
@@ -567,7 +583,6 @@
if (sizeof($tree_list) > 0) {
foreach ($tree_list as $tree) {
- $i++;
$hierarchy = db_fetch_assoc("select
graph_tree_items.id,
graph_tree_items.title,
@@ -583,21 +598,45 @@
and graph_tree_items.local_graph_id = 0
order by graph_tree_items.order_key");
- $dhtml_tree[$i] = "ou0 = insFld(foldersTree, gFld(\"" . htmlspecialchars($tree["name"]) . "\", \"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"]) . "\"))\n";
$i++;
- $dhtml_tree[$i] = "ou0.xID = \"tree_" . $tree["id"] . "\"\n";
+ $dhtml_tree[$i] = "\t<ul>\n\t\t<li id=\"" . htmlspecialchars("tree_" . $tree["id"]) . "\"><a href=\"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"]) . "\">" . htmlspecialchars($tree["name"]) . "</a>\n";
if (sizeof($hierarchy) > 0) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t<ul>\n";
+ $last_tier = 1;
+ $openli = false;
+ $lasthost = false;
foreach ($hierarchy as $leaf) {
- $i++;
$tier = tree_tier($leaf["order_key"]);
- if ($leaf["host_id"] > 0) {
- $dhtml_tree[$i] = "ou" . ($tier) . " = insFld(ou" . abs(($tier-1)) . ", gFld(\"" . "Host: " . htmlspecialchars($leaf["hostname"]) . "\", \"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"] . "&leaf_id=" . $leaf["id"]) . "\"))\n";
+ if ($leaf["host_id"] > 0) { //It's a host
+ if ($tier > $last_tier) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t<ul>\n";
+ } elseif ($tier < $last_tier) {
+ if (!$lasthost) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t</li>\n";
+ }
+ for ($x = $tier; $x < $last_tier; $x++) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t</ul>\n\t\t\t\t</li>\n";
+ $openli = false;
+ }
+ } elseif ($openli && !$lasthost) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t</li>\n";
+ $openli = false;
+ }
+ $last_tier = $tier;
+ $lasthost = true;
$i++;
- $dhtml_tree[$i] = "ou" . ($tier) . ".xID = \"tree_" . $tree["id"] . "_leaf_" . $leaf["id"] . "\"\n";
+ $dhtml_tree[$i] = "\t\t\t\t<li id=\"" . htmlspecialchars("tree_" . $tree["id"] . "_leaf_" . $leaf["id"]) . "\"><a href=\"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"] . "&leaf_id=" . $leaf["id"]) . "\">Host: " . htmlspecialchars($leaf["hostname"]) . "</a>\n";
if (read_graph_config_option("expand_hosts") == "on") {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t<ul>\n";
if ($leaf["host_grouping_type"] == HOST_GROUPING_GRAPH_TEMPLATE) {
$graph_templates = db_fetch_assoc("select
graph_templates.id,
@@ -612,9 +651,7 @@
if (sizeof($graph_templates) > 0) {
foreach ($graph_templates as $graph_template) {
$i++;
- $dhtml_tree[$i] = "ou" . ($tier+1) . " = insFld(ou" . ($tier) . ", gFld(\" " . htmlspecialchars($graph_template["name"]) . "\", \"graph_view.php?action=tree&tree_id=" . $tree["id"] . "&leaf_id=" . $leaf["id"] . "&host_group_data=graph_template:" . $graph_template["id"] . "\"))\n";
- $i++;
- $dhtml_tree[$i] = "ou" . ($tier+1) . ".xID = \"tree_" . $tree["id"] . "_leaf_" . $leaf["id"] . "_hgd_gt_" . $graph_template["id"] . "\"\n";
+ $dhtml_tree[$i] = "\t\t\t\t\t\t<li id=\"" . htmlspecialchars("tree_" . $tree["id"] . "_leaf_" . $leaf["id"] . "_hgd_gt_" . $graph_template["id"]) . "\"><a href=\"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"] . "&leaf_id=" . $leaf["id"] . "&host_group_data=graph_template:" . $graph_template["id"]) . "\">" . htmlspecialchars($graph_template["name"]) . "</a></li>\n";
}
}
}else if ($leaf["host_grouping_type"] == HOST_GROUPING_DATA_QUERY_INDEX) {
@@ -645,33 +682,71 @@
if ((($data_query["id"] == 0) && ($non_template_graphs > 0)) ||
(($data_query["id"] > 0) && (sizeof($sort_field_data) > 0))) {
$i++;
- $dhtml_tree[$i] = "ou" . ($tier+1) . " = insFld(ou" . ($tier) . ", gFld(\" " . htmlspecialchars($data_query["name"]) . "\", \"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"] . "&leaf_id=" . $leaf["id"] . "&host_group_data=data_query:" . $data_query["id"]) . "\"))\n";
- $i++;
- $dhtml_tree[$i] = "ou" . ($tier+1) . ".xID = \"tree_" . $tree["id"] . "_leaf_" . $leaf["id"] . "_hgd_dq_" . $data_query["id"] . "\"\n";
-
+ $dhtml_tree[$i] = "\t\t\t\t\t\t<li id=\"" . htmlspecialchars("tree_" . $tree["id"] . "_leaf_" . $leaf["id"] . "_hgd_dq_" . $data_query["id"]) . "\"><a href=\"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"] . "&leaf_id=" . $leaf["id"] . "&host_group_data=data_query:" . $data_query["id"]) . "\">" . htmlspecialchars($data_query["name"]) . "</a>\n";
if ($data_query["id"] > 0) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t\t\t<ul>\n";
while (list($snmp_index, $sort_field_value) = each($sort_field_data)) {
$i++;
- $dhtml_tree[$i] = "ou" . ($tier+2) . " = insFld(ou" . ($tier+1) . ", gFld(\" " . htmlspecialchars($sort_field_value) . "\", \"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"] . "&leaf_id=" . $leaf["id"] . "&host_group_data=data_query_index:" . $data_query["id"] . ":" . urlencode($snmp_index)) . "\"))\n";
- $i++;
- $dhtml_tree[$i] = "ou" . ($tier+2) . ".xID = \"tree_" . $tree["id"] . "_leaf_" . $leaf["id"] . "_hgd_dqi" . $data_query["id"] . "_" . urlencode($snmp_index) . "\"\n";
+ $dhtml_tree[$i] = "\t\t\t\t\t\t\t\t<li id=\"" . htmlspecialchars("tree_" . $tree["id"] . "_leaf_" . $leaf["id"] . "_hgd_dqi" . $data_query["id"]) . "_" . urlencode($snmp_index) . "\"><a href=\"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"] . "&leaf_id=" . $leaf["id"] . "&host_group_data=data_query_index:" . $data_query["id"] . ":" . urlencode($snmp_index)) . "\">" . htmlspecialchars($sort_field_value) . "</a></li>\n";
}
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t\t\t</ul>\n";
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t\t</li>\n";
}
}
}
}
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t\t</li>\n";
+ }
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t</ul>\n";
+ }
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t</li>\n";
+ }else{ //It's not a host
+ if ($tier > $last_tier) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t<ul>\n";
+ } elseif ($tier < $last_tier) {
+ if (!$lasthost) {
+ $i++;
+ $dhtml_tree[$i] = "</li>\n";
}
+ for ($x = $tier; $x < $last_tier; $x++) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t</ul>\n\t\t\t\t</li>\n";
+ $openli = false;
+ }
+ } elseif ($openli && !$lasthost) {
+ $i++;
+ $dhtml_tree[$i] = "</li>\n";
+ $openli = false;
}
- }else{
- $dhtml_tree[$i] = "ou" . ($tier) . " = insFld(ou" . abs(($tier-1)) . ", gFld(\"" . htmlspecialchars($leaf["title"]) . "\", \"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"] . "&leaf_id=" . $leaf["id"]) . "\"))\n";
+ $last_tier = $tier;
$i++;
- $dhtml_tree[$i] = "ou" . ($tier) . ".xID = \"tree_" . $tree["id"] . "_leaf_" . $leaf["id"] . "\"\n";
+ $dhtml_tree[$i] = "\t\t\t\t<li id=\"" . htmlspecialchars("tree_" . $tree["id"] . "_leaf_" . $leaf["id"]) . "\"><a href=\"" . htmlspecialchars("graph_view.php?action=tree&tree_id=" . $tree["id"] . "&leaf_id=" . $leaf["id"]) . "\">" . htmlspecialchars($leaf["title"]) . "</a>\n";
+ $openli = true;
+ $lasthost = false;
}
}
+ for ($x = $last_tier; $x > 1; $x--) {
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t\t\t</ul>\n\t\t\t\t</li>\n";
+ }
+ $i++;
+ $dhtml_tree[$i] = "\t\t\t</ul>\n";
}
+ $i++;
+ $dhtml_tree[$i] = "\t\t</li>\n\t</ul>\n";
}
}
+ $i++;
+ $dhtml_tree[$i] = "</div>\n";
+
return $dhtml_tree;
}
@@ -758,14 +833,6 @@
}
}
- print "<script type=\"text/javascript\">\n";
- print "<!--\n";
- print "myNode = findObj(\"$nodeid\")\n";
- print "myNode.forceOpeningOfAncestorFolders();\n";
- print "highlightObjLink(myNode)\n";
- print "//-->\n";
- print "</script>";
-
/* ================= input validation ================= */
input_validate_input_number(get_request_var_post("graphs"));
input_validate_input_number(get_request_var_post("page"));

19
cacti-0.8.8b-html-injection.patch
View File

@ -1,19 +0,0 @@
------------------------------------------------------------------------
r7443 | rony | 2014-03-30 18:43:28 -0500 (Sun, 30 Mar 2014) | 2 lines
bug#0002431: CVE-2014-2326 Unspecified HTML Injection Vulnerability
------------------------------------------------------------------------
Index: branches/0.8.8/cdef.php
===================================================================
--- branches/0.8.8/cdef.php (revision 7442)
+++ branches/0.8.8/cdef.php (revision 7443)
@@ -431,7 +431,7 @@
<a class="linkEditMain" href="<?php print htmlspecialchars("cdef.php?action=item_edit&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>">Item #<?php print htmlspecialchars($i);?></a>
</td>
<td>
- <em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print get_cdef_item_name($cdef_item["id"]);?></strong>
+ <em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print htmlspecialchars(get_cdef_item_name($cdef_item["id"]));?></strong>
</td>
<td>
<a href="<?php print htmlspecialchars("cdef.php?action=item_movedown&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>"><img src="images/move_down.gif" border="0" alt="Move Down"></a>

28
cacti-0.8.8b-remote-command-execution.patch
View File

@ -1,28 +0,0 @@
------------------------------------------------------------------------
r7442 | rony | 2014-03-30 18:41:56 -0500 (Sun, 30 Mar 2014) | 2 lines
bug#0002433: CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
------------------------------------------------------------------------
Index: branches/0.8.8/lib/graph_export.php
===================================================================
--- branches/0.8.8/lib/graph_export.php (revision 7441)
+++ branches/0.8.8/lib/graph_export.php (revision 7442)
@@ -339,7 +339,7 @@
chdir($stExportDir);
/* set the initial command structure */
- $stExecute = 'ncftpput -R -V -r 1 -u '.$aFtpExport['username'].' -p '.$aFtpExport['password'];
+ $stExecute = 'ncftpput -R -V -r 1 -u ' . cacti_escapeshellarg($aFtpExport['username']) . ' -p ' . cacti_escapeshellarg($aFtpExport['password']);
/* if the user requested passive mode, use it */
if ($aFtpExport['passive']) {
@@ -347,7 +347,7 @@
}
/* setup the port, server, remote directory and all files */
- $stExecute .= ' -P ' . $aFtpExport['port'] . ' ' . $aFtpExport['server'] . ' ' . $aFtpExport['remotedir'] . ".";
+ $stExecute .= ' -P ' . cacti_escapeshellarg($aFtpExport['port']) . ' ' . cacti_escapeshellarg($aFtpExport['server']) . ' ' . cacti_escapeshellarg($aFtpExport['remotedir']) . ".";
/* run the command */
$iExecuteReturns = 0;

42
cacti-0.8.8b-rra-comments.patch
View File

@ -1,42 +0,0 @@
------------------------------------------------------------------------
r7418 | gandalf | 2013-08-13 13:32:49 -0600 (Tue, 13 Aug 2013) | 1 line
fix COMMENT handling, even in case COMMENT is empty, with or without HR and with variable substitution
------------------------------------------------------------------------
Index: branches/0.8.8/lib/rrd.php
===================================================================
--- branches/0.8.8/lib/rrd.php (revision 7417)
+++ branches/0.8.8/lib/rrd.php (revision 7418)
@@ -1343,20 +1343,20 @@
$need_rrd_nl = TRUE;
if ($graph_item_types{$graph_item["graph_type_id"]} == "COMMENT") {
+ # perform variable substitution first (in case this will yield an empty results or brings command injection problems)
+ $comment_arg = rrd_substitute_host_query_data($graph_variables["text_format"][$graph_item_id], $graph, $graph_item);
+ # next, compute the argument of the COMMENT statement and perform injection counter measures
+ if (trim($comment_arg) == '') { # an empty COMMENT must be treated with care
+ $comment_arg = cacti_escapeshellarg(' ' . $hardreturn[$graph_item_id]);
+ } else {
+ $comment_arg = cacti_escapeshellarg($comment_arg . $hardreturn[$graph_item_id]);
+ }
+
+ # create rrdtool specific command line
if (read_config_option("rrdtool_version") != "rrd-1.0.x") {
- $comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id])) . " ";
- if (trim($comment_string) == 'COMMENT:"\n"') {
- $txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work
- } else if (trim($comment_string) != "COMMENT:\"\"") {
- $txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);
- }
+ $txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", $comment_arg) . " ";
}else {
- $comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id]) . " ";
- if (trim($comment_string) == 'COMMENT:"\n"') {
- $txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work
- } else if (trim($comment_string) != "COMMENT:\"\"") {
- $txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);
- }
+ $txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . $comment_arg . " ";
}
}elseif (($graph_item_types{$graph_item["graph_type_id"]} == "GPRINT") && (!isset($graph_data_array["graph_nolegend"]))) {
$graph_variables["text_format"][$graph_item_id] = str_replace(":", "\:", $graph_variables["text_format"][$graph_item_id]); /* escape colons */

155
cacti-0.8.8b-sanitize-variables.patch
View File

@ -1,155 +0,0 @@
------------------------------------------------------------------------
r7420 | cigamit | 2013-08-17 21:41:24 -0600 (Sat, 17 Aug 2013) | 1 line
Bug #0002383 : Sanitize the step and id variables
------------------------------------------------------------------------
Index: branches/0.8.8/host.php
===================================================================
--- branches/0.8.8/host.php (revision 7419)
+++ branches/0.8.8/host.php (revision 7420)
@@ -149,6 +149,9 @@
if ($_POST["snmp_version"] == 3 && ($_POST["snmp_password"] != $_POST["snmp_password_confirm"])) {
raise_message(4);
}else{
+ input_validate_input_number(get_request_var_post("id"));
+ input_validate_input_number(get_request_var_post("host_template_id"));
+
$host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"],
trim($_POST["hostname"]), $_POST["snmp_community"], $_POST["snmp_version"],
$_POST["snmp_username"], $_POST["snmp_password"],
Index: branches/0.8.8/lib/api_device.php
===================================================================
--- branches/0.8.8/lib/api_device.php (revision 7419)
+++ branches/0.8.8/lib/api_device.php (revision 7420)
@@ -107,7 +107,7 @@
$_host_template_id = db_fetch_cell("select host_template_id from host where id=$id");
}
- $save["id"] = $id;
+ $save["id"] = form_input_validate($id, "id", "^[0-9]+$", false, 3);
$save["host_template_id"] = form_input_validate($host_template_id, "host_template_id", "^[0-9]+$", false, 3);
$save["description"] = form_input_validate($description, "description", "", false, 3);
$save["hostname"] = form_input_validate(trim($hostname), "hostname", "", false, 3);
Index: branches/0.8.8/install/index.php
===================================================================
--- branches/0.8.8/install/index.php (revision 7419)
+++ branches/0.8.8/install/index.php (revision 7420)
@@ -310,27 +310,28 @@
}
/* pre-processing that needs to be done for each step */
-if (empty($_REQUEST["step"])) {
- $_REQUEST["step"] = 1;
-}else{
- if ($_REQUEST["step"] == "1") {
- $_REQUEST["step"] = "2";
- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "1")) {
- $_REQUEST["step"] = "3";
- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "3")) {
- $_REQUEST["step"] = "8";
- }elseif (($_REQUEST["step"] == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) {
- $_REQUEST["step"] = "9";
- }elseif ($_REQUEST["step"] == "8") {
- $_REQUEST["step"] = "3";
- }elseif ($_REQUEST["step"] == "9") {
- $_REQUEST["step"] = "3";
- }elseif ($_REQUEST["step"] == "3") {
- $_REQUEST["step"] = "4";
+if (isset($_REQUEST["step"]) && $_REQUEST["step"] > 0) {
+ $step = intval($_REQUEST["step"]);
+ if ($step == "1") {
+ $step = "2";
+ } elseif (($step == "2") && ($_REQUEST["install_type"] == "1")) {
+ $step = "3";
+ } elseif (($step == "2") && ($_REQUEST["install_type"] == "3")) {
+ $step = "8";
+ } elseif (($step == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) {
+ $step = "9";
+ } elseif ($step == "8") {
+ $step = "3";
+ } elseif ($step == "9") {
+ $step = "3";
+ } elseif ($step == "3") {
+ $step = "4";
}
+} else {
+ $step = 1;
}
-if ($_REQUEST["step"] == "4") {
+if ($step == "4") {
include_once("../lib/data_query.php");
include_once("../lib/utility.php");
@@ -366,7 +367,7 @@
header ("Location: ../index.php");
exit;
-}elseif (($_REQUEST["step"] == "8") && ($_REQUEST["install_type"] == "3")) {
+}elseif (($step == "8") && ($_REQUEST["install_type"] == "3")) {
/* if the version is not found, die */
if (!is_int($old_version_index)) {
print " <p style='font-family: Verdana, Arial; font-size: 16px; font-weight: bold; color: red;'>Error</p>
@@ -505,7 +506,7 @@
</tr>
<tr>
<td width="100%" style="font-size: 12px;">
- <?php if ($_REQUEST["step"] == "1") { ?>
+ <?php if ($step == "1") { ?>
<p>Thanks for taking the time to download and install cacti, the complete graphing
solution for your network. Before you can start making cool graphs, there are a few
@@ -530,7 +531,7 @@
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.</p>
- <?php }elseif ($_REQUEST["step"] == "2") { ?>
+ <?php }elseif ($step == "2") { ?>
<p>Please select the type of installation</p>
@@ -551,7 +552,7 @@
print "Server Operating System Type: " . $config["cacti_server_os"] . "<br>"; ?>
</p>
- <?php }elseif ($_REQUEST["step"] == "3") { ?>
+ <?php }elseif ($step == "3") { ?>
<p>Make sure all of these values are correct before continuing.</p>
<?php
@@ -609,7 +610,7 @@
is an upgrade. You can change any of the settings on this screen at a later
time by going to "Cacti Settings" from within Cacti.</p>
- <?php }elseif ($_REQUEST["step"] == "8") { ?>
+ <?php }elseif ($step == "8") { ?>
<p>Upgrade results:</p>
@@ -659,7 +660,7 @@
print $upgrade_results;
?>
- <?php }elseif ($_REQUEST["step"] == "9") { ?>
+ <?php }elseif ($step == "9") { ?>
<p style='font-size: 16px; font-weight: bold; color: red;'>Important Upgrade Notice</p>
@@ -673,7 +674,7 @@
<?php }?>
- <p align="right"><input type="image" src="install_<?php if ($_REQUEST["step"] == "3") {?>finish<?php }else{?>next<?php }?>.gif" alt="<?php if ($_REQUEST["step"] == "3"){?>Finish<?php }else{?>Next<?php }?>"></p>
+ <p align="right"><input type="image" src="install_<?php if ($step == "3") {?>finish<?php }else{?>next<?php }?>.gif" alt="<?php if ($step == "3"){?>Finish<?php }else{?>Next<?php }?>"></p>
</td>
</tr>
</table>
@@ -681,7 +682,7 @@
</tr>
</table>
-<input type="hidden" name="step" value="<?php print $_REQUEST["step"];?>">
+<input type="hidden" name="step" value="<?php print $step;?>">
</form>

117
cacti-0.8.8b-sql-injection-shell-escaping.patch
View File

@ -1,117 +0,0 @@
------------------------------------------------------------------------
r7439 | rony | 2014-03-30 17:52:10 -0500 (Sun, 30 Mar 2014) | 5 lines
bug#0002405: SQL injection in graph_xport.php
- Fixed form input validation problems
- Fixed rrd export and graph shell escape issues
------------------------------------------------------------------------
Index: branches/0.8.8/graph_xport.php
===================================================================
--- branches/0.8.8/graph_xport.php (revision 7438)
+++ branches/0.8.8/graph_xport.php (revision 7439)
@@ -47,43 +47,48 @@
$graph_data_array = array();
+/* ================= input validation ================= */
+input_validate_input_number(get_request_var("local_graph_id"));
+input_validate_input_number(get_request_var("rra_id"));
+/* ==================================================== */
+
/* override: graph start time (unix time) */
-if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) {
- $graph_data_array["graph_start"] = $_GET["graph_start"];
+if (!empty($_GET["graph_start"]) && is_numeric($_GET["graph_start"] && $_GET["graph_start"] < 1600000000)) {
+ $graph_data_array["graph_start"] = get_request_var("graph_start");
}
/* override: graph end time (unix time) */
-if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
- $graph_data_array["graph_end"] = $_GET["graph_end"];
+if (!empty($_GET["graph_end"]) && is_numeric($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
+ $graph_data_array["graph_end"] = get_request_var("graph_end");
}
/* override: graph height (in pixels) */
-if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
- $graph_data_array["graph_height"] = $_GET["graph_height"];
+if (!empty($_GET["graph_height"]) && is_numeric($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
+ $graph_data_array["graph_height"] = get_request_var("graph_height");
}
/* override: graph width (in pixels) */
-if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
- $graph_data_array["graph_width"] = $_GET["graph_width"];
+if (!empty($_GET["graph_width"]) && is_numeric($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
+ $graph_data_array["graph_width"] = get_request_var("graph_width");
}
/* override: skip drawing the legend? */
if (!empty($_GET["graph_nolegend"])) {
- $graph_data_array["graph_nolegend"] = $_GET["graph_nolegend"];
+ $graph_data_array["graph_nolegend"] = get_request_var("graph_nolegend");
}
/* print RRDTool graph source? */
if (!empty($_GET["show_source"])) {
- $graph_data_array["print_source"] = $_GET["show_source"];
+ $graph_data_array["print_source"] = get_request_var("show_source");
}
-$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . $_REQUEST["local_graph_id"] . "'");
+$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . get_request_var("local_graph_id") . "'");
/* for bandwidth, NThPercentile */
$xport_meta = array();
/* Get graph export */
-$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array, $xport_meta);
+$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], get_request_var("rra_id"), $graph_data_array, $xport_meta);
/* Make graph title the suggested file name */
if (is_array($xport_array["meta"])) {
Index: branches/0.8.8/lib/rrd.php
===================================================================
--- branches/0.8.8/lib/rrd.php (revision 7438)
+++ branches/0.8.8/lib/rrd.php (revision 7439)
@@ -865,13 +865,13 @@
/* basic graph options */
$graph_opts .=
"--imgformat=" . $image_types{$graph["image_format_id"]} . RRD_NL .
- "--start=$graph_start" . RRD_NL .
- "--end=$graph_end" . RRD_NL .
+ "--start=" . cacti_escapeshellarg($graph_start) . RRD_NL .
+ "--end=" . cacti_escapeshellarg($graph_end) . RRD_NL .
"--title=" . cacti_escapeshellarg($graph["title_cache"]) . RRD_NL .
"$rigid" .
- "--base=" . $graph["base_value"] . RRD_NL .
- "--height=$graph_height" . RRD_NL .
- "--width=$graph_width" . RRD_NL .
+ "--base=" . cacti_escapeshellarg($graph["base_value"]) . RRD_NL .
+ "--height=" . cacti_escapeshellarg($graph_height) . RRD_NL .
+ "--width=" . cacti_escapeshellarg($graph_width) . RRD_NL .
"$scale" .
"$unit_value" .
"$unit_exponent_value" .
@@ -1606,8 +1606,8 @@
/* basic export options */
$xport_opts =
- "--start=$xport_start" . RRD_NL .
- "--end=$xport_end" . RRD_NL .
+ "--start=" . cacti_escapeshellarg($xport_start) . RRD_NL .
+ "--end=" . cacti_escapeshellarg($xport_end) . RRD_NL .
"--maxrows=10000" . RRD_NL;
$xport_defs = "";
@@ -1997,7 +1997,7 @@
$stacked_columns["col" . $j] = ($graph_item_types{$xport_item["graph_type_id"]} == "STACK") ? 1 : 0;
$j++;
- $txt_xport_items .= "XPORT:" . $data_source_name . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
+ $txt_xport_items .= "XPORT:" . cacti_escapeshellarg($data_source_name) . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
}else{
$need_rrd_nl = FALSE;
}

141
cacti-0.8.8b-validate-drp-action.patch
View File

@ -1,141 +0,0 @@
------------------------------------------------------------------------
r7452 | cigamit | 2014-06-15 17:34:39 -0600 (Sun, 15 Jun 2014) | 1 line
-bug#0002453: CVE-2014-4002 Cross-Site Scripting Vulnerability
------------------------------------------------------------------------
Index: branches/0.8.8/host_templates.php
===================================================================
--- branches/0.8.8/host_templates.php (revision 7451)
+++ branches/0.8.8/host_templates.php (revision 7452)
@@ -117,6 +117,10 @@
function form_actions() {
global $colors, $host_actions;
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_post('drp_action'));
+ /* ==================================================== */
+
/* if we are to save this form, instead of display it */
if (isset($_POST["selected_items"])) {
$selected_items = unserialize(stripslashes($_POST["selected_items"]));
Index: branches/0.8.8/cdef.php
===================================================================
--- branches/0.8.8/cdef.php (revision 7451)
+++ branches/0.8.8/cdef.php (revision 7452)
@@ -158,6 +158,10 @@
function form_actions() {
global $colors, $cdef_actions;
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_post('drp_action'));
+ /* ==================================================== */
+
/* if we are to save this form, instead of display it */
if (isset($_POST["selected_items"])) {
$selected_items = unserialize(stripslashes($_POST["selected_items"]));
Index: branches/0.8.8/data_queries.php
===================================================================
--- branches/0.8.8/data_queries.php (revision 7451)
+++ branches/0.8.8/data_queries.php (revision 7452)
@@ -195,6 +195,10 @@
function form_actions() {
global $colors, $dq_actions;
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_post('drp_action'));
+ /* ==================================================== */
+
/* if we are to save this form, instead of display it */
if (isset($_POST["selected_items"])) {
$selected_items = unserialize(stripslashes($_POST["selected_items"]));
Index: branches/0.8.8/data_sources.php
===================================================================
--- branches/0.8.8/data_sources.php (revision 7451)
+++ branches/0.8.8/data_sources.php (revision 7452)
@@ -307,6 +307,10 @@
function form_actions() {
global $colors, $ds_actions;
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_post('drp_action'));
+ /* ==================================================== */
+
/* if we are to save this form, instead of display it */
if (isset($_POST["selected_items"])) {
$selected_items = unserialize(stripslashes($_POST["selected_items"]));
Index: branches/0.8.8/host.php
===================================================================
--- branches/0.8.8/host.php (revision 7451)
+++ branches/0.8.8/host.php (revision 7452)
@@ -175,6 +175,10 @@
function form_actions() {
global $colors, $device_actions, $fields_host_edit;
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_post('drp_action'));
+ /* ==================================================== */
+
/* if we are to save this form, instead of display it */
if (isset($_POST["selected_items"])) {
$selected_items = unserialize(stripslashes($_POST["selected_items"]));
Index: branches/0.8.8/data_input.php
===================================================================
--- branches/0.8.8/data_input.php (revision 7451)
+++ branches/0.8.8/data_input.php (revision 7452)
@@ -153,6 +153,10 @@
function form_actions() {
global $colors, $di_actions;
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_post('drp_action'));
+ /* ==================================================== */
+
/* if we are to save this form, instead of display it */
if (isset($_POST["selected_items"])) {
$selected_items = unserialize(stripslashes($_POST["selected_items"]));
Index: branches/0.8.8/graph_templates.php
===================================================================
--- branches/0.8.8/graph_templates.php (revision 7451)
+++ branches/0.8.8/graph_templates.php (revision 7452)
@@ -164,6 +164,10 @@
function form_actions() {
global $colors, $graph_actions;
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_post('drp_action'));
+ /* ==================================================== */
+
/* if we are to save this form, instead of display it */
if (isset($_POST["selected_items"])) {
$selected_items = unserialize(stripslashes($_POST["selected_items"]));
Index: branches/0.8.8/graphs.php
===================================================================
--- branches/0.8.8/graphs.php (revision 7451)
+++ branches/0.8.8/graphs.php (revision 7452)
@@ -267,6 +267,11 @@
function form_actions() {
global $colors, $graph_actions;
+
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_post('drp_action'));
+ /* ==================================================== */
+
/* if we are to save this form, instead of display it */
if (isset($_POST["selected_items"])) {
$selected_items = unserialize(stripslashes($_POST["selected_items"]));
Index: branches/0.8.8/data_templates.php
===================================================================
--- branches/0.8.8/data_templates.php (revision 7451)
+++ branches/0.8.8/data_templates.php (revision 7452)
@@ -254,6 +254,10 @@
function form_actions() {
global $colors, $ds_actions;
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_post('drp_action'));
+ /* ==================================================== */
+
/* if we are to save this form, instead of display it */
if (isset($_POST["selected_items"])) {
$selected_items = unserialize(stripslashes($_POST["selected_items"]));

21
cacti-0.8.8b-validate-graph-templates-inputs.patch
View File

@ -1,21 +0,0 @@
------------------------------------------------------------------------
r7451 | cigamit | 2014-06-15 15:54:20 -0600 (Sun, 15 Jun 2014) | 1 line
Add some validation
------------------------------------------------------------------------
Index: branches/0.8.8/graph_templates_inputs.php
===================================================================
--- branches/0.8.8/graph_templates_inputs.php (revision 7450)
+++ branches/0.8.8/graph_templates_inputs.php (revision 7451)
@@ -52,6 +52,11 @@
$graph_input_values = array();
$selected_graph_items = array();
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_post("graph_template_input_id"));
+ input_validate_input_number(get_request_var_post("graph_template_id"));
+ /* ==================================================== */
+
$save["id"] = $_POST["graph_template_input_id"];
$save["hash"] = get_hash_graph_template($_POST["graph_template_input_id"], "graph_template_input");
$save["graph_template_id"] = $_POST["graph_template_id"];

57
cacti-httpd.conf
View File

@ -1,57 +0,0 @@
#
# Cacti: An rrd based graphing tool
#
# For security reasons, the Cacti web interface is accessible only to
# localhost in the default configuration. If you want to allow other clients
# to access your Cacti installation, change the httpd ACLs below.
# For example:
# On httpd 2.4, change "Require host localhost" to "Require all granted".
# On httpd 2.2, change "Allow from localhost" to "Allow from all".
Alias /cacti /usr/share/cacti
<Directory /usr/share/cacti/>
<IfModule mod_authz_core.c>
# httpd 2.4
Require host localhost
</IfModule>
<IfModule !mod_authz_core.c>
# httpd 2.2
Order deny,allow
Deny from all
Allow from localhost
</IfModule>
</Directory>
<Directory /usr/share/cacti/install>
# mod_security overrides.
# Uncomment these if you use mod_security.
# allow POST of application/x-www-form-urlencoded during install
#SecRuleRemoveById 960010
# permit the specification of the rrdtool paths during install
#SecRuleRemoveById 900011
</Directory>
# These sections marked "Require all denied" (or "Deny from all")
# should not be modified.
# These are in place in order to harden Cacti.
<Directory /usr/share/cacti/log>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>
<Directory /usr/share/cacti/rra>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>

30
cacti.README.fedora
View File

@ -1,30 +0,0 @@
In order for Cacti to function properly, please edit the following:
/etc/cacti/db.php
/etc/cron.d/cacti
/etc/http/conf.d/cacti.conf
The installation procedure, briefly summarized:
Create the cacti MySQL database:
# mysqladmin create cacti
Import the default cacti database:
# mysql cacti < /usr/share/doc/cacti-0.8.8a/cacti.sql
Create the user:
# mysql
mysql> GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'cactiuser';
(Use a different password in the above GRANT command.)
Then visit http://localhost/cacti/ to complete the installation.
Cacti's install procedure is not fully compatible with mod_security. If you use
mod_security, please uncomment the SecRuleRemoveById lines in
/etc/http/conf.d/cacti.conf.
Cacti should work with SELinux. If you cannot get it to work, please file a bug.

1
cacti.cron
View File

@ -1 +0,0 @@
#*/5 * * * * cacti /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1

8
cacti.logrotate
View File

@ -1,8 +0,0 @@
/var/log/cacti/cacti.log {
missingok
monthly
notifempty
compress
create 0664 cacti apache
su cacti apache
}

356
cacti.spec
View File

@ -1,356 +0,0 @@
Name: cacti
Version: 0.8.8b
Release: 7%{?dist}
Summary: An rrd based graphing tool
# Use systemd unit files on Fedora 21+ and RHEL 7.
%if 0%{?fedora} >= 21 || 0%{?rhel} >= 7
%global _with_systemd 1
%endif
Group: Applications/System
# There's a lot of stuff in there. It's all compatible.
License: GPLv2+ and LGPLv2 and (MPLv1.1 or GPLv2 or LGPLv2) and (LGPLv2 or BSD)
URL: http://www.cacti.net/
# Source0: http://www.cacti.net/downloads/%%{name}-%%{version}.tar.gz
# To generate the notreeview tarball:
# wget http://www.cacti.net/downloads/cacti-0.8.8b.tar.gz
# tar xzf cacti-0.8.8b.tar.gz
# rm -rf cacti-0.8.8b/include/treeview/*
# rm -rf cacti-0.8.8b.tar.gz
# tar czf cacti-0.8.8b-notreeview.tar.gz cacti-0.8.8b
Source0: %{name}-%{version}-notreeview.tar.gz
Source1: cacti-httpd.conf
Source2: cacti.logrotate
Source3: cacti.README.fedora
Source4: d.gif
Source5: d.png
Source6: throbber.gif
Source7: %{name}.cron
# Add replacement files for treeview
Patch0: cacti-0.8.8a-legal.patch
# Thanks to Paul Gevers and Jan Zalesak (Debian)
Patch1: cacti-0.8.8a-replace_treeview_by_jquery.jstree.patch
# Upstream patch for XSS and SQL injection
# https://bugzilla.redhat.com/1000860
Patch2: cacti-0.8.8b-sanitize-variables.patch
# Upstream patch to fix graph comments
# https://bugzilla.redhat.com/1004550
Patch3: cacti-0.8.8b-rra-comments.patch
# Upstream patch for SQL injection and shell escaping
# https://bugzilla.redhat.com/1084258
Patch4: cacti-0.8.8b-sql-injection-shell-escaping.patch
# Upstream patch for HTML injection
# https://bugzilla.redhat.com/1082122
Patch5: cacti-0.8.8b-html-injection.patch
# Upstream patch for remote command execution
# https://bugzilla.redhat.com/1082122
Patch6: cacti-0.8.8b-remote-command-execution.patch
# Upstream patches for XSS
# https://bugzilla.redhat.com/1113035
Patch7: cacti-0.8.8b-validate-graph-templates-inputs.patch
Patch8: cacti-0.8.8b-validate-drp-action.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp
Requires: net-snmp-utils
Requires: crontabs
Requires(pre): %{_sbindir}/useradd
%if 0%{?_with_systemd}
Requires(preun): systemd
Requires(postun): systemd
Requires(post): systemd
%else
Requires(postun): /sbin/service
%endif
BuildArch: noarch
# This macro was added in Fedora 20. Use the old version if it's undefined
# on older Fedoras and RHELs.
# https://fedoraproject.org/wiki/Changes/UnversionedDocdirs
%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
%description
Cacti is a complete frontend to RRDTool. It stores all of the
necessary information to create graphs and populate them with
data in a MySQL database. The frontend is completely PHP
driven. Along with being able to maintain graphs, data
sources, and round robin archives in a database, Cacti also
handles the data gathering. There is SNMP support for those
used to creating traffic graphs with MRTG.
%prep
%setup -q
%patch0 -p1
# patch1: Remove treeview
%patch1 -p1
# patch2: XSS and SQL injection, https://bugzilla.redhat.com/1000860
%patch2 -p2
# patch3: Fix graph comments, https://bugzilla.redhat.com/1004550
%patch3 -p2
# patch4: SQL injection and shell escaping, https://bugzilla.redhat.com/1084258
%patch4 -p2
# patch5: HTML injection, https://bugzilla.redhat.com/1082122
%patch5 -p2
# patch6: Remote command execution, https://bugzilla.redhat.com/1082122
%patch6 -p2
# patch7 and 8: XSS, https://bugzilla.redhat.com/1113035
%patch7 -p2
%patch8 -p2
cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/
rm -rf include/treeview
%build
# cacti's build is a noop
%install
rm -rf %{buildroot}
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/%{name}
%{__install} -d -m 0755 %{buildroot}/%{_pkgdocdir}
%{__install} -d -m 0755 %{buildroot}/%{_datadir}/%{name}/
%{__install} -m 0644 *.php %{buildroot}/%{_datadir}/%{name}/
%{__install} -d -m 0775 log/ %{buildroot}/%{_localstatedir}/log/%{name}/
%{__install} -m 0664 log/* %{buildroot}/%{_localstatedir}/log/%{name}/
%{__install} -d -m 0755 rra/ %{buildroot}/%{_localstatedir}/lib/%{name}/rra/
%{__install} -d -m 0755 scripts/ %{buildroot}/%{_localstatedir}/lib//%{name}/scripts/
%{__install} -m 0755 scripts/* %{buildroot}/%{_localstatedir}/lib/%{name}/scripts/
%{__install} -d -m 0755 cli/ %{buildroot}/%{_localstatedir}/lib//%{name}/cli/
%{__install} -m 0755 cli/* %{buildroot}/%{_localstatedir}/lib/%{name}/cli/
%{__install} -p -D -m 0644 %{SOURCE7} %{buildroot}/%{_sysconfdir}/cron.d/%{name}
%{__install} -D -m 0644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/cacti.conf
%{__install} -D -m 0644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/logrotate.d/cacti
# The su parameter will trip up older logrotate versions.
# Conditionally remove it here.
%if 0%{?rhel} && 0%{?rhel} <= 6
sed -i %{buildroot}/%{_sysconfdir}/logrotate.d/cacti -e '/^[ \t]*su /d'
%endif
%{__cp} -a images/ include/ install/ lib/ plugins/ resource/ %{buildroot}%{_datadir}/%{name}
%{__cp} %{SOURCE3} ./docs/README.fedora
%{__cp} -a docs/ %{buildroot}/%{_pkgdocdir}
%{__mv} %{buildroot}/%{_datadir}/%{name}/include/config.php %{buildroot}/%{_sysconfdir}/%{name}/db.php
%{__chmod} +x %{buildroot}/%{_datadir}/%{name}/cmd.php %{buildroot}/%{_datadir}/%{name}/poller.php
ln -s %{_sysconfdir}/%{name}/db.php %{buildroot}/%{_datadir}/%{name}/include/config.php
ln -s %{_localstatedir}/lib/%{name}/rra %{buildroot}/%{_datadir}/%{name}/
ln -s %{_localstatedir}/lib/%{name}/scripts %{buildroot}/%{_datadir}/%{name}/
ln -s %{_localstatedir}/lib/%{name}/cli %{buildroot}/%{_datadir}/%{name}/
ln -s %{_localstatedir}/log/%{name}/ %{buildroot}/%{_datadir}/%{name}/log
ln -s %{_datadir}/%{name}/lib %{buildroot}/%{_localstatedir}/lib/%{name}/
ln -s %{_datadir}/%{name}/include %{buildroot}/%{_localstatedir}/lib/%{name}/
%clean
rm -rf %{buildroot}
%pre
%{_sbindir}/useradd -d %{_datadir}/%{name} -r -s /sbin/nologin cacti 2> /dev/null || :
%post
%if 0%{?_with_systemd}
%systemd_post httpd.service
%else
if [ $1 == 1 ]; then
/sbin/service httpd condrestart > /dev/null 2>&1 || :
fi
%endif
%postun
%if 0%{?_with_systemd}
%systemd_postun_with_restart httpd.service
%else
/sbin/service httpd condrestart > /dev/null 2>&1 || :
%endif
%files
%defattr(-,root,root,-)
%dir %{_sysconfdir}/%{name}
%dir %{_datadir}/%{name}
%dir %{_localstatedir}/lib/%{name}
%dir %{_localstatedir}/lib/%{name}/cli
%dir %{_localstatedir}/lib/%{name}/scripts
%doc docs/ README LICENSE cacti.sql
%config(noreplace) %{_sysconfdir}/cron.d/cacti
%config(noreplace) %{_sysconfdir}/httpd/conf.d/cacti.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%attr(0640,cacti,apache) %config(noreplace) %{_sysconfdir}/%{name}/db.php
%{_datadir}/%{name}/*.php
%{_datadir}/%{name}/images/
%{_datadir}/%{name}/include/
%{_datadir}/%{name}/install/
%{_datadir}/%{name}/lib/
%{_datadir}/%{name}/log
%{_datadir}/%{name}/plugins/
%{_datadir}/%{name}/resource/
%{_datadir}/%{name}/rra
%{_datadir}/%{name}/scripts
%{_datadir}/%{name}/cli
%{_localstatedir}/lib/%{name}/scripts/*[^p]
%attr(-,cacti,apache) %{_localstatedir}/log/%{name}/
%attr(-,cacti,root) %{_localstatedir}/lib/%{name}/rra/
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/scripts/*php
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/cli/*php
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/include
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib
%changelog
* Fri Jun 27 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-7
- Patches for CVE-2014-4002 Cross-site scripting vulnerability
(RHBZ #1113035)
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.8b-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Mon Apr 07 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-5
- Patch for CVE-2014-2708 SQL injection issues in graph_xport.php
(RHBZ #1084258)
- Patch for CVE-2014-2709 shell escaping issues in lib/rrd.php
(RHBZ #1084258)
- Patch for CVE-2014-2326 stored XSS attack (RHBZ #1082122)
- Patch for CVE-2014-2328 use of exec-like function calls without safety
checks allow arbitrary command execution (RHBZ #1082122)
* Fri Feb 07 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-4
- Move cron to a separate file and require crontabs (RHBZ #947047). Thanks
Jóhann B. Guðmundsson.
- Update for systemd (RHBZ #947047). Thanks Jóhann B. Guðmundsson.
- Fix rpmlint warning about spaces-to-tabs
* Wed Sep 04 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-3
- Fix comments in thumbnails (BZ #1004550)
* Mon Aug 26 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-2
- Patch for CVE-2013-5588 and CVE-2013-5589 (BZ #1000860)
* Wed Aug 07 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-1
- New upstream release (BZ #993042)
* Mon Jul 29 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-9
- Use %%{_pkgdocdir}, per
https://fedoraproject.org/wiki/Changes/UnversionedDocdirs
* Sun Jul 14 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-8
- Improve security description in cacti's httpd conf (RHBZ #895823)
- Use improved treeview replacement patch (RHBZ #888207)
- rpmlint fixes
- trim RPM changelog
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.8a-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Tue Jan 08 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-6
- Add note to README.fedora about the default MySQL password
- Remove reference to "docs/INSTALL" in README.fedora (RHBZ #893122)
- Add dependency on net-snmp-utils (RHBZ #893150)
* Fri Jan 04 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-5
- Install our README file as README.fedora
* Fri Jan 4 2013 Tom Callaway <spot@fedoraproject.org> - 0.8.8a-4
- remove non-free treeview bits (replace with jquery future code from 0.8.9 trunk)
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.8a-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jun 28 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-2
- Add plugins directory (BZ #834355)
- Drop Fedora 15 (EOL) from logrotate syntax adjustment
* Mon Apr 30 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-1
- New upstream release (BZ #817506)
- Drop upstreamed $url_path patch
* Wed Apr 11 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8-3
- Patch $url_path to default to "/cacti/" (upstream bug 2217)
* Fri Apr 06 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8-2
- Adjust httpd ACL conditionals to test the presence of mod_authz_core
(as discussed on fedora-devel)
* Wed Apr 04 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8-1
- New upstream release (BZ #809753).
* Mon Mar 26 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.7i-4
- Adjust ACLs to support httpd 2.4.
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.7i-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Dec 13 2011 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.7i-2
- Only set "su" logrotate parameter for F16 and above.
- Tweak mod_security rules.
* Mon Dec 12 2011 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.7i-1
- New upstream release (BZ #766573).
* Fri Nov 11 2011 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.7h-2
- block HTTP access to log and rra directories (#609856)
- overrides for mod_security
- set logrotate to su to cacti apache when rotating (#753079)
* Thu Oct 27 2011 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.7h-1
- New upstream release.
- Remove upstream'd mysql patch.
* Mon Aug 08 2011 Jon Ciesla <limb@jcomserv.net> - 0.8.7g-3
- Patch for MySQL 5.5, BZ 728513.
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.7g-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Mon Jul 12 2010 Mike McGrath <mmcgrath@redhat.com> 0.8.7g-1
- Upstream released new version
* Mon May 24 2010 Mike McGrath <mmcgrath@redhat.com> - 0.8.7f-1
- Upstream released new version
- Contains security updates #595289
* Fri Apr 23 2010 Mike McGrath <mmcgrath@redhat.com> - 0.8.7e-4
- Pulling in patches from upstream
- SQL injection fix
- BZ #541279
* Tue Dec 1 2009 Mike McGrath <mmcgrath@redhat.com> - 0.8.7e-3
- Pulling in some official patches
- #541279
- #541962
* Sun Aug 16 2009 Mike McGrath <mmcgrath@redhat.com> - 0.8.7e-1
- Upstream released new version
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.7d-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Tue Mar 31 2009 Michael Schwendt <mschwendt@fedoraproject.org> - 0.8.7d-3
- Fix unowned cli directory (#473631)
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.7d-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Sat Feb 21 2009 Mike McGrath <mmcgrath@redhat.com> - 0.8.7d-1
- Upstream released new version
* Mon Jul 28 2008 Mike McGrath <mmcgrath@redhat.com> - 0.8.7b-4
- Added cli directory
* Fri Jul 18 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.8.7b-3
- fix my own mistake in the license tag
* Tue Jul 15 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.8.7b-2
- fix license tag
* Thu Feb 14 2008 Mike McGrath <mmcgrath@redhat.com> - 0.8.7b-1
- Upstream released new version
* Fri Nov 23 2007 Mike McGrath <mmcgrath@redhat.com> - 0.8.7a-2
- db.php is now 640 instead of 660 - #396331
* Tue Nov 20 2007 Mike McGrath <mmcgrath@redhat.com> - 0.8.7a-1
- Upstream released new version
- Fixes for bug #391691 - CVE-2007-6035

BIN
d.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 2.9 KiB

BIN
d.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.5 KiB

1
dead.package Normal file
View File

@ -0,0 +1 @@
Too many unpatched CVEs, and upstream is close to dead. See post on fedora-devel / epel-announce.

1
sources
View File

@ -1 +0,0 @@
4be3fec56815b7d803fff97a6bfdcd8f cacti-0.8.8b-notreeview.tar.gz

BIN
throbber.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.8 KiB