fix comments in thumbnails (BZ #1004550)
This commit is contained in:
parent
fa1f26bd89
commit
b0f42c247c
42
cacti-0.8.8b-rra-comments.patch
Normal file
42
cacti-0.8.8b-rra-comments.patch
Normal file
@ -0,0 +1,42 @@
|
||||
------------------------------------------------------------------------
|
||||
r7418 | gandalf | 2013-08-13 13:32:49 -0600 (Tue, 13 Aug 2013) | 1 line
|
||||
|
||||
fix COMMENT handling, even in case COMMENT is empty, with or without HR and with variable substitution
|
||||
------------------------------------------------------------------------
|
||||
Index: branches/0.8.8/lib/rrd.php
|
||||
===================================================================
|
||||
--- branches/0.8.8/lib/rrd.php (revision 7417)
|
||||
+++ branches/0.8.8/lib/rrd.php (revision 7418)
|
||||
@@ -1343,20 +1343,20 @@
|
||||
$need_rrd_nl = TRUE;
|
||||
|
||||
if ($graph_item_types{$graph_item["graph_type_id"]} == "COMMENT") {
|
||||
+ # perform variable substitution first (in case this will yield an empty results or brings command injection problems)
|
||||
+ $comment_arg = rrd_substitute_host_query_data($graph_variables["text_format"][$graph_item_id], $graph, $graph_item);
|
||||
+ # next, compute the argument of the COMMENT statement and perform injection counter measures
|
||||
+ if (trim($comment_arg) == '') { # an empty COMMENT must be treated with care
|
||||
+ $comment_arg = cacti_escapeshellarg(' ' . $hardreturn[$graph_item_id]);
|
||||
+ } else {
|
||||
+ $comment_arg = cacti_escapeshellarg($comment_arg . $hardreturn[$graph_item_id]);
|
||||
+ }
|
||||
+
|
||||
+ # create rrdtool specific command line
|
||||
if (read_config_option("rrdtool_version") != "rrd-1.0.x") {
|
||||
- $comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id])) . " ";
|
||||
- if (trim($comment_string) == 'COMMENT:"\n"') {
|
||||
- $txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work
|
||||
- } else if (trim($comment_string) != "COMMENT:\"\"") {
|
||||
- $txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);
|
||||
- }
|
||||
+ $txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", $comment_arg) . " ";
|
||||
}else {
|
||||
- $comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id]) . " ";
|
||||
- if (trim($comment_string) == 'COMMENT:"\n"') {
|
||||
- $txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work
|
||||
- } else if (trim($comment_string) != "COMMENT:\"\"") {
|
||||
- $txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);
|
||||
- }
|
||||
+ $txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . $comment_arg . " ";
|
||||
}
|
||||
}elseif (($graph_item_types{$graph_item["graph_type_id"]} == "GPRINT") && (!isset($graph_data_array["graph_nolegend"]))) {
|
||||
$graph_variables["text_format"][$graph_item_id] = str_replace(":", "\:", $graph_variables["text_format"][$graph_item_id]); /* escape colons */
|
10
cacti.spec
10
cacti.spec
@ -1,6 +1,6 @@
|
||||
Name: cacti
|
||||
Version: 0.8.8b
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: An rrd based graphing tool
|
||||
|
||||
Group: Applications/System
|
||||
@ -30,6 +30,10 @@ Patch1: cacti-0.8.8a-replace_treeview_by_jquery.jstree.patch
|
||||
# https://bugzilla.redhat.com/1000860
|
||||
Patch2: cacti-0.8.8b-sanitize-variables.patch
|
||||
|
||||
# Upstream patch to fix graph comments
|
||||
# https://bugzilla.redhat.com/1004550
|
||||
Patch3: cacti-0.8.8b-rra-comments.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp
|
||||
@ -57,6 +61,7 @@ used to creating traffic graphs with MRTG.
|
||||
%patch0 -p1
|
||||
%patch1 -p1 -b .notreeview
|
||||
%patch2 -p2 -b .sanitize
|
||||
%patch3 -p2 -b .comments
|
||||
cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/
|
||||
rm -rf include/treeview
|
||||
|
||||
@ -147,6 +152,9 @@ fi
|
||||
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib
|
||||
|
||||
%changelog
|
||||
* Wed Sep 04 2013 Ken Dreyer <ktdreyer@ktdreyer.org> - 0.8.8b-3
|
||||
- Fix comments in thumbnails (BZ #1004550)
|
||||
|
||||
* Mon Aug 26 2013 Ken Dreyer <ktdreyer@ktdreyer.org> - 0.8.8b-2
|
||||
- Patch for CVE-2013-5588 and CVE-2013-5589 (BZ #1000860)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user