From ada98364181df42a730b27c518b152c6c0ca1c6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Su=C3=A1rez?= Date: Tue, 2 Apr 2024 17:21:10 -0600 Subject: [PATCH] Changes to avoid injection --- pandora_console/include/functions_io.php | 4 ++++ pandora_server/lib/PandoraFMS/Tools.pm | 1 + pandora_server/util/pandora_manage.pl | 2 ++ 3 files changed, 7 insertions(+) diff --git a/pandora_console/include/functions_io.php b/pandora_console/include/functions_io.php index a58c77fc62..a3b08230a8 100755 --- a/pandora_console/include/functions_io.php +++ b/pandora_console/include/functions_io.php @@ -90,6 +90,10 @@ function io_safe_input($value) $value = utf8_encode($value); } + if (preg_match('/<\/?script(.*?)>/', $value)) { + $value = preg_replace('/<\/?script(.*?)>/', '', $value); + } + $valueHtmlEncode = htmlentities(($value ?? ''), ENT_QUOTES, 'UTF-8', true); // Replace the character '\' for the equivalent html entitie diff --git a/pandora_server/lib/PandoraFMS/Tools.pm b/pandora_server/lib/PandoraFMS/Tools.pm index 43b7db611b..b2a11e3ab0 100755 --- a/pandora_server/lib/PandoraFMS/Tools.pm +++ b/pandora_server/lib/PandoraFMS/Tools.pm @@ -647,6 +647,7 @@ sub safe_input($) { return "" unless defined($value); + $value =~ s/<\/?script(.*?)>//gs; $value =~ s/(.)/$CHR2ENT{$1}||$1/ge; return $value; diff --git a/pandora_server/util/pandora_manage.pl b/pandora_server/util/pandora_manage.pl index 6ac06feae0..aa6e800097 100755 --- a/pandora_server/util/pandora_manage.pl +++ b/pandora_server/util/pandora_manage.pl @@ -3429,6 +3429,8 @@ sub cli_agent_update() { my @id_agents; my $id_agent; + $new_value = safe_input($new_value); + if (defined $use_alias and $use_alias eq 'use_alias') { @id_agents = get_agent_ids_from_alias($dbh,$agent_name); foreach my $id (@id_agents) {