Merge branch 'vulnerabilidad-en-consola' into 'develop'

Resolve: Vulnerabilidad en consola See merge request artica/pandorafms!1020
2025-07-31 01:35:36 +02:00 · 2017-11-06 17:41:45 +01:00 · 2017-11-06 17:41:45 +01:00 · 2d87172558
commit 2d87172558
parent 3c9410678b ac70caac71
9 changed files with 90 additions and 108 deletions
--- a/pandora_console/godmode/reporting/visual_console_builder.editor.js
+++ b/pandora_console/godmode/reporting/visual_console_builder.editor.js
@ -32,8 +32,6 @@ var SIZE_GRID = 16; //Const the size (for width and height) of grid.
 var img_handler_start;
 var img_handler_end;
 var font;
 function toggle_advance_options_palette(close) {
 	if ($("#advance_options").css('display') == 'none') {
 		$("#advance_options").css('display', '');
@ -59,23 +57,6 @@ function visual_map_main() {
 		img_handler_end = data;
 	});
 	//Get the actual system font.
 	parameter = Array();
 	parameter.push ({name: "page", value: "include/ajax/visual_console_builder.ajax"});
 	parameter.push ({name: "action", value: "get_font"});
 	parameter.push ({name: "id_visual_console",
 		value: id_visual_console});
 	jQuery.ajax({
 		url: get_url_ajax(),
 		data: parameter,
 		type: "POST",
 		dataType: 'json',
 		success: function (data)
 		{
 			font = data['font'];
 		}
 	});
 	//Get the list of posible parents
 	parents = Base64.decode($("input[name='parents_load']").val());
 	parents = eval("(" + parents + ")");
@ -2237,9 +2218,9 @@ function setPercentileBar(id_data, values) {
 				value_text = module_value + " " + unit_text;
 			}
-			var img = url_hack_metaconsole + 'include/graphs/fgraph.php?homeurl=../../&graph_type=progressbar&height=15&' +
+			var img = url_hack_metaconsole + 'include/graphs/fgraph.php?graph_type=progressbar&height=15&' +
 				'width=' + width_percentile + '&mode=1&progress=' + percentile +
-				'&font=' + font + '&value_text=' + value_text + '&colorRGB=' + colorRGB;
+				'&value_text=' + value_text + '&colorRGB=' + colorRGB;
 			$("#"+  id_data).attr('src', img);
@ -2543,9 +2524,9 @@ function setPercentileBubble(id_data, values) {
 				value_text = module_value + " " + unit_text;
 			}
-			var img = url_hack_metaconsole + 'include/graphs/fgraph.php?homeurl=../../&graph_type=progressbubble&height=' + width_percentile + '&' +
+			var img = url_hack_metaconsole + 'include/graphs/fgraph.php?graph_type=progressbubble&height=' + width_percentile + '&' +
 				'width=' + width_percentile + '&mode=1&progress=' + percentile +
-				'&font=' + font + '&value_text=' + value_text + '&colorRGB=' + colorRGB;
+				'&value_text=' + value_text + '&colorRGB=' + colorRGB;
 			$("#image_" + id_data).attr('src', img);
--- a/pandora_console/include/functions_filemanager.php
+++ b/pandora_console/include/functions_filemanager.php
@ -720,6 +720,17 @@ function filemanager_file_explorer($real_directory, $relative_directory,
 			$hash = md5($relative_path . $config['dbpass']);
 			$data[1] = '<a href="' . $hack_metaconsole . 'include/get_file.php?file='.urlencode(base64_encode($relative_path)).'&hash=' . $hash . '">'.$fileinfo['name'].'</a>';
 		}
 		// Notice that uploaded php files could be dangerous
 		if (pathinfo($fileinfo['realpath'], PATHINFO_EXTENSION) == 'php' &&
 				(is_readable($fileinfo['realpath']) || is_executable($fileinfo['realpath']))) {
 			$error_message = __('This file could be executed by any user');
 			$error_message .= '. ' . __('Make sure it can\'t perform dangerous tasks');
 			$data[1] = '<span class="error forced_title" data-title="' . $error_message . '" data-use_title_for_force_title="1">'
 				. $data[1]
 				. '</span>';
 		}
 		$data[2] = ui_print_timestamp ($fileinfo['last_modified'], true,
 			array ('prominent' => true));
 		if ($fileinfo['is_dir']) {
--- a/pandora_console/include/functions_graph.php
+++ b/pandora_console/include/functions_graph.php
@ -2555,10 +2555,10 @@ function progress_bar($progress, $width, $height, $title = '', $mode = 1, $value
 	require_once("include_graph_dependencies.php");
 	include_graphs_dependencies($config['homedir'].'/');
 	$src = ui_get_full_url(
-		"/include/graphs/fgraph.php?homeurl=../../&graph_type=progressbar" .
+		"/include/graphs/fgraph.php?graph_type=progressbar" .
-		"&width=".$width."&homedir=".$config['homedir']."&height=".$height."&progress=".$progress.
+		"&width=".$width."&height=".$height."&progress=".$progress.
 		"&mode=" . $mode . "&out_of_lim_str=".$out_of_lim_str .
-		"&title=".$title."&font=".$config['fontpath']."&value_text=". $value_text . 
+		"&title=".$title."&value_text=". $value_text . 
 		"&colorRGB=". $colorRGB, false, false, false
 		);
@ -2590,10 +2590,10 @@ function progress_bubble($progress, $width, $height, $title = '', $mode = 1, $va
 	include_graphs_dependencies($config['homedir'].'/');
 	return "<img title='" . $title . "' alt='" . $title . "'" .
-		" src='" . $config['homeurl'] . $hack_metaconsole . "/include/graphs/fgraph.php?homeurl=../../&graph_type=progressbubble" .
+		" src='" . $config['homeurl'] . $hack_metaconsole . "/include/graphs/fgraph.php?graph_type=progressbubble" .
 		"&width=".$width."&height=".$height."&progress=".$progress.
 		"&mode=" . $mode . "&out_of_lim_str=".$out_of_lim_str .
-		"&title=".$title."&font=".$config['fontpath']."&value_text=". $value_text . 
+		"&title=".$title."&value_text=". $value_text . 
 		"&colorRGB=". $colorRGB . "' />";
 }
--- a/pandora_console/include/functions_networkmap.php
+++ b/pandora_console/include/functions_networkmap.php
@ -1060,8 +1060,8 @@ function networkmap_create_agent_node ($agent, $simple = 0, $font_size = 10, $cu
 	}
 	// Short name
-	$name = io_safe_output($agent["nombre"]);
+	$name = $agent["nombre"];
-	if ((strlen ($name) > 16) && ($cut_names)) {
+	if ($cut_names) {
 		$name = ui_print_truncate_text($name, 16, false, true, false);
 	}
@ -1111,7 +1111,7 @@ function networkmap_create_agent_node ($agent, $simple = 0, $font_size = 10, $cu
 		}
 		$node = "\n" . $agent['id_node'].' [ parent="' . $agent['id_parent'] . '", color="'.$status_color.'", fontsize='.$font_size.', style="filled", fixedsize=true, width=0.40, height=0.40, label=<<TABLE CELLPADDING="0" CELLSPACING="0" BORDER="0"><TR><TD>' . $img_node . '</TD></TR>
-		 <TR><TD>'.io_safe_output($name).'</TD></TR></TABLE>>,
+		 <TR><TD>'.$name.'</TD></TR></TABLE>>,
 		 shape="doublecircle", URL="'.$url.'",
 		 tooltip="' . $url_tooltip . '"];' . "\n";
 	}
@ -1174,7 +1174,7 @@ function networkmap_create_module_group_node ($module_group, $simple = 0, $font_
 			'", fontsize='.$font_size.', style="filled", ' .
 			'fixedsize=true, width=0.30, height=0.30, ' .
 			'label=<<TABLE data-id_agent="' . $module_group['id_agent'] . '" data-status="' . $module_group['status'] . '" CELLPADDING="0" CELLSPACING="0" BORDER="0"><TR><TD>' .
-			io_safe_output($module_group['name']) . '</TD></TR></TABLE>>,
+			$module_group['name'] . '</TD></TR></TABLE>>,
 			shape="square", URL="' . $url . '",
 			tooltip="' . $url_tooltip . '"];';
 	}
@ -1268,7 +1268,7 @@ function networkmap_create_module_node ($module, $simple = 0, $font_size = 10, $
 			'fixedsize=true, width=0.30, height=0.30, ' .
 			'label=<<TABLE CELLPADDING="0" CELLSPACING="0" BORDER="0"><TR><TD>' .
 			$img_node . '</TD></TR>
-			<TR><TD>' . io_safe_output($module['nombre']) . '</TD></TR></TABLE>>,
+			<TR><TD>' . $module['nombre'] . '</TD></TR></TABLE>>,
 			shape="circle", URL="' . $url . '",
 			tooltip="' . $url_tooltip . '"];';
 	}
--- a/pandora_console/include/functions_pandora_networkmap.php
+++ b/pandora_console/include/functions_pandora_networkmap.php
@ -374,6 +374,7 @@ function networkmap_db_node_to_js_node($node, &$count, &$count_item_holding_area
 		$item['image_width'] = (int)$image_size[0];
 		$item['image_height'] = (int)$image_size[1];
 	}
 	$item['raw_text'] = $node['style']['label'];
 	$item['text'] = io_safe_output($node['style']['label']);
 	$item['shape'] = $node['style']['shape'];
 	switch ($node['type']) {
@ -548,7 +549,7 @@ function networkmap_links_to_js_links($relations, $nodes_graph) {
 			$item['arrow_end'] = 'module';
 			$item['status_end'] = modules_get_agentmodule_status((int)$id_target_module, false, false, null);
 			$item['id_module_end'] = (int)$id_target_module;
-			$text_end = io_safe_output(modules_get_agentmodule_name((int)$id_target_module));
+			$text_end = modules_get_agentmodule_name((int)$id_target_module);
 			if (preg_match ("/(.+)_ifOperStatus$/" , (string)$text_end, $matches)) {
 				if ($matches[1]) {
 					$item['text_end'] = $matches[1];
@ -559,7 +560,7 @@ function networkmap_links_to_js_links($relations, $nodes_graph) {
 			$item['arrow_start'] = 'module';
 			$item['status_start'] = modules_get_agentmodule_status((int)$id_source_module, false, false, null);
 			$item['id_module_start'] = (int)$id_source_module;
-			$text_start = io_safe_output(modules_get_agentmodule_name((int)$id_source_module));
+			$text_start = modules_get_agentmodule_name((int)$id_source_module);
 			if (preg_match ("/(.+)_ifOperStatus$/" , (string)$text_start, $matches)) {
 				if ($matches[1]) {
 					$item['text_start'] = $matches[1];
@ -874,7 +875,6 @@ function networkmap_loadfile($id = 0, $file = '',
 								modules_get_agentmodule_agent($ids[$node_id]['id_module']);
 							$text = modules_get_agentmodule_name($data['id_module']);
 							$text = io_safe_output($text);
 							$text = ui_print_truncate_text($text,
 								'agent_medium', false, true, false,
 								'...', false);
@ -885,7 +885,6 @@ function networkmap_loadfile($id = 0, $file = '',
 							$data['id_agent'] = $ids[$node_id]['id_agent'];
 							$text = agents_get_alias($ids[$node_id]['id_agent']);
 							$text = io_safe_output($text);
 							$text = ui_print_truncate_text($text,
 								'agent_medium', false, true, false,
 								'...', false);
@ -975,7 +974,7 @@ function duplicate_networkmap($id) {
 	$values = db_get_row('tmap', 'id', $id);
 	unset($values['id']);
 	$free_name = false;
-	$values['name'] = io_safe_input(__('Copy of ') . io_safe_output($values['name']));
+	$values['name'] = io_safe_input(__('Copy of ')) . $values['name'];
 	$count = 1;
 	while (!$free_name) {
 		$exist = db_get_row_filter('tmap', array('name' => $values['name']));
--- a/pandora_console/include/functions_ui.php
+++ b/pandora_console/include/functions_ui.php
@ -94,22 +94,27 @@ function ui_print_truncate_text($text, $numChars = GENERIC_SIZE_TEXT, $showTextI
 		}
 	}
-	$text = io_safe_output($text);
+	$text_html_decoded = io_safe_output($text);
-	if (mb_strlen($text, "UTF-8") > ($numChars)) {
+	$text_has_entities = $text != $text_html_decoded;
 	if (mb_strlen($text_html_decoded, "UTF-8") > ($numChars)) {
 		// '/2' because [...] is in the middle of the word.
 		$half_length = intval(($numChars - 3) / 2);
 		// Depending on the strange behavior of mb_strimwidth() itself,
 		// the 3rd parameter is not to be $numChars but the length of
 		// original text (just means 'large enough').
-		$truncateText2 = mb_strimwidth($text,
+		$truncateText2 = mb_strimwidth($text_html_decoded,
-			(mb_strlen($text, "UTF-8") - $half_length),
+			(mb_strlen($text_html_decoded, "UTF-8") - $half_length),
-			mb_strlen($text, "UTF-8"), "", "UTF-8" );
+			mb_strlen($text_html_decoded, "UTF-8"), "", "UTF-8" );
-		$truncateText = mb_strimwidth($text, 0,
+		$truncateText = mb_strimwidth($text_html_decoded, 0,
-			($numChars - $half_length), "", "UTF-8") . $suffix;
+			($numChars - $half_length), "", "UTF-8");
-		$truncateText = $truncateText . $truncateText2;
+		// Recover the html entities to avoid XSS attacks
 		$truncateText = ($text_has_entities)
 			? io_safe_input($truncateText) . $suffix . io_safe_input($truncateText2)
 			: $truncateText . $suffix . $truncateText2;
 		if ($showTextInTitle) {
 			if ($style === null) {
--- a/pandora_console/include/graphs/fgraph.php
+++ b/pandora_console/include/graphs/fgraph.php
@ -10,48 +10,29 @@
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 // GNU General Public License for more details.
 $ttl = 1;
 $homeurl = '';
 if (isset($_GET['homeurl'])) {
 	$homeurl = $_GET['homeurl'];
 }
 else $homeurl = '';
 $homeurl = ((bool)filter_var($homeurl, FILTER_VALIDATE_URL) == 1) ? '' : $homeurl;
 if (isset($_GET['ttl'])) {
 	$ttl = $_GET['ttl'];
 }
 else $ttl_param = 1;
 if (isset($_GET['graph_type'])) {
 	$graph_type = $_GET['graph_type'];
 }
 else $graph_type = '';
 //$graph_type = get_parameter('graph_type', '');
 //$ttl_param = get_parameter('ttl', 1);
 //$homeurl_param = get_parameter('homeurl', '');
 // Turn on output buffering.
 // The entire buffer will be discarded later so that any accidental output
 // does not corrupt images generated by fgraph.
-ob_start ();
+ob_start();
 global $config;
 if (empty($config['homedir'])) {
 	require_once ('../../include/config.php');
 	global $config;
 }
 include_once($config['homedir'] . '/include/functions.php');
 $ttl = get_parameter('ttl', 1);
 $graph_type = get_parameter('graph_type', '');
 if (!empty($graph_type)) {
-	$homedir = $_GET['homedir'];
+	include_once($config['homedir'] . '/include/functions_html.php');
-	if ($homedir != null) {
+	include_once($config['homedir'] . '/include/graphs/functions_gd.php');
-		$config['homedir'] = $homedir;
+	include_once($config['homedir'] . '/include/graphs/functions_utils.php');
-	}
+	include_once($config['homedir'] . '/include/graphs/functions_d3.php');
-
+	include_once($config['homedir'] . '/include/graphs/functions_flot.php');
 	include_once($homeurl . 'include/functions.php');
 	include_once($homeurl . 'include/functions_html.php');
 	include_once($homeurl . 'include/graphs/functions_gd.php');
 	include_once($homeurl . 'include/graphs/functions_utils.php');
 	include_once($homeurl . 'include/graphs/functions_d3.php');
 	include_once($homeurl . 'include/graphs/functions_flot.php');
 }
 // Clean the output buffer and turn off output buffering
@ -61,13 +42,12 @@ switch($graph_type) {
 	case 'histogram': 
 		$width = get_parameter('width');
 		$height = get_parameter('height');
 		$font = get_parameter('font');
 		$data = json_decode(io_safe_output(get_parameter('data')), true);
 		$max = get_parameter('max');
 		$title = get_parameter('title');
 		$mode = get_parameter ('mode', 1);
-		gd_histogram ($width, $height, $mode, $data, $max, $font, $title);
+		gd_histogram ($width, $height, $mode, $data, $max, $config['fontpath'], $title);
 		break;
 	case 'progressbar':
 		$width = get_parameter('width');
@ -77,7 +57,6 @@ switch($graph_type) {
 		$out_of_lim_str = io_safe_output(get_parameter('out_of_lim_str', false));
 		$out_of_lim_image = get_parameter('out_of_lim_image', false);
 		$font = get_parameter('font');
 		$title = get_parameter('title');
 		$mode = get_parameter('mode', 1);
@ -87,7 +66,7 @@ switch($graph_type) {
 		$value_text = get_parameter('value_text', '');
 		$colorRGB = get_parameter('colorRGB', '');
-		gd_progress_bar ($width, $height, $progress, $title, $font,
+		gd_progress_bar ($width, $height, $progress, $title, $config['fontpath'],
 			$out_of_lim_str, $out_of_lim_image, $mode, $fontsize,
 			$value_text, $colorRGB);
 		break;
@ -99,7 +78,6 @@ switch($graph_type) {
 		$out_of_lim_str = io_safe_output(get_parameter('out_of_lim_str', false));
 		$out_of_lim_image = get_parameter('out_of_lim_image', false);
 		$font = get_parameter('font');
 		$title = get_parameter('title');
 		$mode = get_parameter('mode', 1);
@ -109,7 +87,7 @@ switch($graph_type) {
 		$value_text = get_parameter('value_text', '');
 		$colorRGB = get_parameter('colorRGB', '');
-		gd_progress_bubble ($width, $height, $progress, $title, $font,
+		gd_progress_bubble ($width, $height, $progress, $title, $config['fontpath'],
 			$out_of_lim_str, $out_of_lim_image, $mode, $fontsize,
 			$value_text, $colorRGB);
 		break;
--- a/pandora_console/include/javascript/functions_pandora_networkmap.js
+++ b/pandora_console/include/javascript/functions_pandora_networkmap.js
@ -240,10 +240,11 @@ function update_node_name(id_db_node) {
 					jQuery.each(graph.nodes, function (i, element) {
 						if (element.id_db == id_db_node) {
-							graph.nodes[i].text = name;
+							graph.nodes[i]['text'] = data['text'];
 							graph.nodes[i]['raw_text'] = data['raw_text'];
-							$("#id_node_" + i + networkmap_id + " title").html(name);
+							$("#id_node_" + i + networkmap_id + " title").html(data['raw_text']);
-							$("#id_node_" + i + networkmap_id + " tspan").html(name);
+							$("#id_node_" + i + networkmap_id + " tspan").html(data['raw_text']);
 						}
 					});
@ -723,7 +724,6 @@ function edit_node(data_node, dblClick) {
 			$("#node_options-node_name-2 input")
 				.attr("onclick", "update_node_name(" + node_selected.id_db + ");");
 			$("#node_details-0-1").html('<a href="index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=' + node_selected["id_agent"] + '">' + node_selected["text"] + '</a>');
 			var params = [];
 			params.push("get_agent_info=1");
 			params.push("id_agent=" + node_selected["id_agent"]);
@ -735,11 +735,19 @@ function edit_node(data_node, dblClick) {
 				type: 'POST',
 				url: action = "ajax.php",
 				success: function (data) {
-					var adressess = "";
+					$("#node_details-0-1").html('<a href="index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=' + node_selected["id_agent"] + '">' + data['alias'] + '</a>');
-					for (adress in data['adressess']) {
+					
-						adressess += adress + "<br>";
+					var addresses = "";
 					if (data['adressess'] instanceof Array) {
 						for (var i; i < data['adressess'].length; i++) {
 							addresses += data['adressess'][i] + "<br>";
 						}
 					} else {
 						for (address in data['adressess']) {
 							addresses += address + "<br>";
 						}
 					}
-					$("#node_details-1-1").html(adressess);
+					$("#node_details-1-1").html(addresses);
 					$("#node_details-2-1").html(data["os"]);
 					$("#node_details-3-1").html(data["group"]);
@ -752,7 +760,7 @@ function edit_node(data_node, dblClick) {
 			$("#dialog_node_edit")
 				.dialog("option", "title",
-				dialog_node_edit_title.replace("%s", node_selected.text));
+				dialog_node_edit_title.replace("%s", node_selected['text'])); // It doesn't eval the possible XSS so it's ok
 			$("#dialog_node_edit").dialog("open");
 			if (node_selected.id_agent == undefined || node_selected.id_agent == -2) {
@ -760,7 +768,7 @@ function edit_node(data_node, dblClick) {
 				$("#node_options-fictional_node_name")
 					.css("display", "");
 				$("input[name='edit_name_fictional_node']")
-					.val(node_selected.text);
+					.val(node_selected.text); // It doesn't eval the possible XSS so it's ok
 				$("#node_options-fictional_node_networkmap_link")
 					.css("display", "");
 				$("#edit_networkmap_to_link")
@ -774,7 +782,7 @@ function edit_node(data_node, dblClick) {
 			}
 			else {
 				$("input[name='edit_name_node']")
-					.val(node_selected.text);
+					.val(node_selected.text); // It doesn't eval the possible XSS so it's ok
 				$("#node_options-fictional_node_name")
 					.css("display", "none");
 				$("#node_options-fictional_node_networkmap_link")
@ -925,9 +933,9 @@ function load_interfaces(selected_links) {
 		});
 		$("#relations_table-template_row-node_source", template_relation_row)
-			.html(link_each.source.text);
+			.html(link_each.source['raw_text']);
 		$("#relations_table-template_row-node_target", template_relation_row)
-			.html(link_each.target.text);
+			.html(link_each.target['raw_text']);
 		$("#relations_table-template_row-edit", template_relation_row)
 			.attr("align", "center");
 		$("#relations_table-template_row-edit .delete_icon", template_relation_row)
--- a/pandora_console/operation/agentes/pandora_networkmap.view.php
+++ b/pandora_console/operation/agentes/pandora_networkmap.view.php
@ -72,7 +72,7 @@ if (is_ajax ()) {
 	if ($update_fictional_point) {
 		$id_node = (int)get_parameter('id_node', 0);
-		$name = io_safe_output(get_parameter('name', ''));
+		$name = get_parameter('name', '');
 		$shape = get_parameter('shape', 0);
 		$radious = (int)get_parameter('radious', 20);
 		$color = get_parameter('color', 0);
@ -123,7 +123,7 @@ if (is_ajax ()) {
 		$id = (int)get_parameter('id', 0);
 		$x = (int)get_parameter('x', 0);
 		$y = (int)get_parameter('y', 0);
-		$id_agents = io_safe_output(get_parameter('id_agents', ''));
+		$id_agents = get_parameter('id_agents', '');
 		$id_agents = json_decode($id_agents, true);
 		if ($id_agents === null)
@ -426,7 +426,7 @@ if (is_ajax ()) {
 	if ($get_agent_pos_search) {
 		$id = (int)get_parameter('id', 0);
-		$name = io_safe_output((string)get_parameter('name', 0));
+		$name = (string)get_parameter('name');
 		$return = array();
 		$return['correct'] = true;
@ -447,7 +447,7 @@ if (is_ajax ()) {
 		$id = (int)get_parameter('id', 0);
 		/* q is what autocomplete plugin gives */
-		$string = io_safe_output((string) get_parameter ('q'));
+		$string = (string) get_parameter('q');
 		$agents = db_get_all_rows_filter('titem',
 			array('id_map' => $id,
@ -459,7 +459,7 @@ if (is_ajax ()) {
 		$data = array();
 		foreach ($agents as $agent) {
 			$style = json_decode($agent['style'], true);
-			$data[] = array('name' => io_safe_output($style['label']));
+			$data[] = array('name' => $style['label']);
 		}
 		echo json_encode($data);
@ -750,7 +750,7 @@ else {
 	}
 	if (!$dash_mode) {
-		ui_print_page_header(io_safe_output($networkmap['name']), 
+		ui_print_page_header($networkmap['name'], 
 			"images/bricks.png", false, "network_map_enterprise", 
 			false, $buttons, false, '', $config['item_title_size_text']);
 	}