2008-08-21 Evi Vanoost <vanooste@rcbi.rochester.edu>

* index.php: Update HTML for unclosed tags and put everything in PHP Updated the HTTPS detection. Made sure the password doesn't get passed to other scripts (like 'evil' plugins) * include/functions_html.php: Added print_input_password_extended() * general/main_menu.php: Removed old code and header * general/login_page.php: Tried putting it in functions_html code but that didn't work (rowspan), so I just ended up with a smaller file and the input boxes getting printed * general/header.php: Updated to use functions_html * general/footer.php: Updated header and develop_bypass for the query counter git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@1020 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2008-08-21 21:07:20 +00:00 · 2008-08-21 21:07:20 +00:00 · 39bc02f570
parent 81a61a3025
commit 39bc02f570
7 changed files with 180 additions and 170 deletions
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@ -1,3 +1,22 @@
+2008-08-21  Evi Vanoost <vanooste@rcbi.rochester.edu>
+
+	* index.php: Update HTML for unclosed tags and put everything in PHP
+	Updated the HTTPS detection. Made sure the password doesn't get
+	passed to other scripts (like 'evil' plugins)
+
+	* include/functions_html.php: Added print_input_password_extended()
+
+	* general/main_menu.php: Removed old code and header
+
+	* general/login_page.php: Tried putting it in functions_html code but
+	that didn't work (rowspan), so I just ended up with a smaller file and
+	the input boxes getting printed
+
+	* general/header.php: Updated to use functions_html
+
+	* general/footer.php: Updated header and develop_bypass for the query
+	counter
+

 2008-08-21  Sancho Lerena <slerena@gmail.com>

--- a/pandora_console/general/footer.php
+++ b/pandora_console/general/footer.php
@ -1,7 +1,6 @@
-<?PHP
-// Pandora FMS - the Free Monitoring System
-// ========================================
-// Copyright (c) 2008 Artica Soluciones Tecnológicas, http://www.artica.es
+<?php
+// Pandora FMS - the Flexible Monitoring System
+// =============================================
 // Please see http://pandora.sourceforge.net for full contribution list

 // This program is free software; you can redistribute it and/or
@ -13,19 +12,20 @@
 // GNU General Public License for more details.
 // You should have received a copy of the GNU General Public License
 // along with this program; if not, write to the Free Software
-// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+// USA.

-global $config;
-
-echo "<center>";
-echo '<a class="white_bold" target="_new" href="general/license/pandora_info_'.$config["language"].'.html">
-Pandora FMS '.$pandora_version.' - Build '.$build_version.'<br>'.
-__('is a <b>OpenSource Software Project, licensed under GPL terms</b>').'</a><br>';
 if (isset($_SERVER['REQUEST_TIME'])) {
 	$time = $_SERVER['REQUEST_TIME'];
 } else {
 	$time = time();
 }
-	echo "<a class='white'>".__('Page generated at')." ".$LOCALE->fmt_time($time)." - Saved ".$LOCALE->fmt_number($sql_cache["saved"])." Queries</a><br>";
-echo "</center>";
+									
+echo '<a class="white_bold" target="_new" href="general/license/pandora_info_'.$config["language"].'.html">Pandora FMS '.$pandora_version.' - Build '.$build_version.'<br>'.
+__('is an OpenSource Software Project, licensed under GPL terms').'</a><br />
+<a class="white">'.__('Page generated at').' '.$LOCALE->fmt_time($time);
+if ($develop_bypass == 1) {
+	echo ' - Saved '.$LOCALE->fmt_number($sql_cache["saved"]).' Queries';
+}
+echo '</a><br>';
 ?>
--- a/pandora_console/general/header.php
+++ b/pandora_console/general/header.php
@ -15,60 +15,46 @@
 // along with this program; if not, write to the Free Software
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

-echo '
-<div id="head_r">
-	<span id="logo_text1">Pandora</span> <span id="logo_text2">FMS</span>
-</div>
-<div id="head_l">
-	<a href="index.php"><img src="images/pandora_logo_head.png" border="0" alt="logo"></a>
-</div>
+echo '<div id="head_r"><span id="logo_text1">Pandora</span> <span id="logo_text2">FMS</span></div>
+<div id="head_l"><a href="index.php"><img src="images/pandora_logo_head.png" border="0" alt="logo" /></a></div><div id="head_m">';

-';
-echo "<div id='head_m'>";
-
-echo "<table width=520 border='0' cellpadding=3>
-	<tr>";
-if (isset ($_SESSION["id_usuario"])){
-    // Fist column
-    echo "<td width=30%>";
-	if (dame_admin($_SESSION["id_usuario"])==1)
-		echo "<img src='images/user_suit.png' class='bot'> ";
-	else
-		echo "<img src='images/user_green.png' class='bot'> ";
-	echo "<a class='white'>".__('You are '). '
-	[<b>'. $_SESSION["id_usuario"]. '</b>]</a>';
+if(!isset ($_SESSION["id_usuario"])) {
+	echo "</div>";
+	return;
+}
+$table->width=520;
+$table->border=0;
+$table->cellpadding=3;
+$table->size=array("30%");
+$table->class="inherit";
+$table->rowclass=array("inherit","inherit");

+$table->data[] = array (
+			// First column
+    			'<img src="images/user_'.((dame_admin ($_SESSION["id_usuario"]) == 1) ? 'suit' : 'green' ).'.png" class="bot">'.'<a class="white">'.__('You are ').'[<b>'.$_SESSION["id_usuario"].'</b>]</a>',
 			// Second column 
-    echo "<td>";
-	echo "<a class='white_bold' href='index.php?sec=main'><img src='images/information.png' class='bot'> ". __('General information')."</a>";
-	
+			'<a class="white_bold" href="index.php?sec=main"><img src="images/information.png" class="bot">'.__('General information').'</a>',
 			// Third column 
-    echo "<td>";
 			// Autorefresh
-    if ((isset($_GET["refr"]) AND $_GET["refr"] != 0) OR (isset($_POST["refr"]) AND $_POST["refr"] != 0)) {
-        echo "<a class='white_grey_bold' href='".((substr($_SERVER['REQUEST_URI'],-1) != "/") ? $_SERVER['REQUEST_URI'] : "index.php?" )."&refr=0'><img src='images/page_lightning.png' class='bot'> ". __('Autorefresh')."</a>";
-    } else {
-        echo "<a class='white_bold' href='".((substr($_SERVER['REQUEST_URI'],-1) != "/") ? $_SERVER['REQUEST_URI'] : "index.php?" )."&refr=5'><img src='images/page_lightning.png' class='bot'> ". __('Autorefresh')."</a>";
-    }
+			((get_parameter ("refr") != 0) ?
+        			'<a class="white_grey_bold" href="'.((substr($_SERVER['REQUEST_URI'],-1) != "/") ? $_SERVER['REQUEST_URI'] : 'index.php?' ).'&refr=0"><img src="images/page_lightning.png" class="bot" />'. __('Autorefresh').'</a>'
+    			:
+        			'<a class="white_bold" href="'.((substr($_SERVER['REQUEST_URI'],-1) != "/") ? $_SERVER['REQUEST_URI'] : "index.php?" ).'&refr=5"><img src="images/page_lightning.png" class="bot" />'.__('Autorefresh').'</a>'
+    			)
+		);

-
-    echo "<tr><td>";
-    echo "<a class='white_bold' href='index.php?bye=bye'><img src='images/lock.png' class='bot'> ". __('Logout')."</a>";
-    
-    echo "<td>";
-    $server_status = check_server_status ();
-    if ($server_status == 0)
-        echo "<a class='white_bold' href='index.php?sec=estado_server&sec2=operation/servers/view_server&refr=60'><img src='images/error.png' class='bot'> ". __('Server status: DOWN')."</a>";
-    else
-        echo "<a class='white_bold' href='index.php?sec=estado_server&sec2=operation/servers/view_server&refr=60'><img src='images/ok.png' class='bot'> ". __('Sytem ready')."</a>";
-
-    echo "<td>";
+$table->data[] = array (
+			'<a class="white_bold" href="index.php?bye=bye"><img src="images/lock.png" class="bot">'. __('Logout').'</a>',
+			'<a class="white_bold" href="index.php?sec=estado_server&sec2=operation/servers/view_server&refr=60">'.
+    			((check_server_status () == 0) ?
+				'<img src="images/error.png" class="bot" />'.__('Server status: DOWN')
+			:
+        			'<img src="images/ok.png" class="bot" />'.__('System ready')
+			).'</a>',
    			// Event - refresh
-    echo "<a class='white_bold' href='index.php?sec=eventos&sec2=operation/events/events&refr=5'><img src='images/lightning_go.png' class='bot'> ". __('Events')."</a>";
-
-
-}
-echo "</tr></table>";
+			'<a class="white_bold" href="index.php?sec=eventos&sec2=operation/events/events&refr=5"><img src="images/lightning_go.png" class="bot" />'.__('Events').'</a>'
+		);
+print_table ($table);
 echo "</div>";

 ?>
--- a/pandora_console/general/login_page.php
+++ b/pandora_console/general/login_page.php
@ -19,54 +19,37 @@

 $addr = "";
 if (isset($_GET['sec'])){
-	$addr = 'http://' . $_SERVER['SERVER_NAME']; // TODO: check https
+	$addr = 'http' . (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == TRUE ? 's': '') . '://' . $_SERVER['SERVER_NAME'];
 	
-	if ($_SERVER['SERVER_PORT'] != 80)
-		$addr .= ":" . $_SERVER['SERVER_PORT'];
+	if ($_SERVER['SERVER_PORT'] != 80 && (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == TRUE && $_SERVER['SERVER_PORT'] != 443))
+		$query .= ":" . $_SERVER['SERVER_PORT'];
 	
 	$addr .= $_SERVER['REQUEST_URI'];
 	
 	$addr = urlencode($addr);
 }

-?>
-<div class='databox' id='login'>
-	<h1 id='log'><?php echo __('Welcome to Pandora FMS Web Console'); ?></h1>
-	<div class='databox' id='login_in'>
+echo '<div class="databox" id="login">
+	<h1 id="log">'.__('Welcome to Pandora FMS Web Console').'</h1>
+	<div class="databox" id="login_in">
 		<form method="post" action="index.php?login=1">
-		<table cellpadding='4' cellspacing='1' width='400'>
-		<tr><td rowspan='3' align='left' style="border-right: solid 1px #678;">
-			<a href="index.php">
-			<img src="images/pandora_logo.png" border="0" alt="logo"></a><br>
-			<?php 
-				echo $pandora_version;
-				if ($develop_bypass == 1){
-					echo " Build " . $build_version;
-				}
-			?>
-		<td rowspan='3' width='5'>
-		<td class='f9b'>
-			Login <br>
-			<input class="login" type="text" name="nick" id="nick" value="">
+		<table cellpadding="4" cellspacing="1" width="400">
+		<tr><td rowspan="3" align="left" style="border-right: solid 1px #678;">
+			<a href="index.php"><img src="images/pandora_logo.png" border="0" alt="logo"></a><br />
+			'.$pandora_version.(($develop_bypass == 1) ? ' '.__('Build').' '.$build_version : '').'
+		</td><td class="f9b">
+			'.__('Login').':<br />'.print_input_text_extended ("nick",'', "nick",'','','',false,'','class="login"',true).'
 		</td></tr>
-		<tr><td class='f9b'>
-			Password <br>
-			<input class="login" type="password" name="pass" value="">
+		<tr><td class="f9b">
+			'.__('Password').':<br />'.print_input_password_extended ("pass",'', "pass",'','','',false,'','class="login"',true).'
 		</td></tr>
-		<tr><td align='center'>
-			<input type="submit" class="sub next" value="Login">
+		<tr><td align="center">
+			'.print_submit_button ("Login",'',false,'class="sub next"',true).'
 		</td></tr>
 		</table>
-		
-		<?php if (strlen($addr) > 0) { ?>
-			<input type="hidden" name="redirect" value="<?php echo $addr; ?>">
-		<?php } ?>
+		'.((strlen($addr) > 0) ? print_input_hidden("redirect",$addr,true) : '').'
 		</form>
 	</div>
-	<div id="ip"><?php echo 'IP: <b class="f10">'.$REMOTE_ADDR.'</b>'; ?></div>
-
-</div>
-
-<script type="text/javascript">
-	document.getElementById('nick').focus();
-</script>
+	<div id="ip">IP: <b class="f10">'.$REMOTE_ADDR.'</b></div>
+	</div><script type="text/javascript">document.getElementById(\'nick\').focus();</script>';
+?>
--- a/pandora_console/general/main_menu.php
+++ b/pandora_console/general/main_menu.php
@ -1,35 +1,23 @@
 <?php
-// Pandora FMS - the Free monitoring system
-// ========================================
-// Copyright (c) 2004-2007 Sancho Lerena, slerena@openideas.info
-// Copyright (c) 2005-2007 Artica Soluciones Tecnologicas
-// Copyright (c) 2004-2007 Raul Mateos Martin, raulofpandora@gmail.com
-// Copyright (c) 2006-2007 Jose Navarro jose@jnavarro.net
-// Copyright (c) 2006-2007 Jonathan Barajas, jonathan.barajas[AT]gmail[DOT]com
-
+// Pandora FMS - the Flexible monitoring system
+// ============================================
+//
 // This program is free software; you can redistribute it and/or
 // modify it under the terms of the GNU General Public License
-// as published by the Free Software Foundation version 2
+// as published by the Free Software Foundation; version 2
 // This program is distributed in the hope that it will be useful,
 // but WITHOUT ANY WARRANTY; without even the implied warranty of
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 // GNU General Public License for more details.
 // You should have received a copy of the GNU General Public License
 // along with this program; if not, write to the Free Software
-// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-
+// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+// USA.
 require ("operation/menu.php");
 if (! isset ($_SESSION["id_usuario"])) {
-	echo '<div class="f10">' . __('You\'re not connected');
-	echo '<br /><br />';
-	echo '<form method="post" action="index.php?login=1">';
-	echo '<div class="f9b">Login</div><input class="login" type="text" name="nick">';
-	echo '<div class="f9b">Password</div><input class="login" type="password" name="pass">';
-	echo '<div><input name="login" type="submit" class="sub" value="' . __('Login') .'"></div>';
-	echo '<br />IP: <b class="f10">' . $REMOTE_ADDR . '</b><br /></div>';
-	
-} else {
+	require ("general/login_page.php");
+	exit();	
+}
 require ("godmode/menu.php");
 require ("links_menu.php");
-}
 ?>
--- a/pandora_console/include/functions_html.php
+++ b/pandora_console/include/functions_html.php
@ -152,6 +152,41 @@ function print_input_text_extended ($name, $value, $id, $alt, $size, $maxlength,
 	echo $output;
 }

+/**
+ * Render an input password element. Extended version
+ * See print_input_text_extended for all options 
+ */
+function print_input_password_extended ($name, $value, $id, $alt, $size, $maxlength, $disabled, $script, $attributes, $return = false) {
+        static $idcounter = 0;
+
+        ++$idcounter;
+        if (empty ($name)) {
+		$name = 'unnamed';
+	}
+	if (empty ($alt)) {
+		$alt = 'textfield';
+	}
+	if (!empty ($maxlength)) {
+		$maxlength = ' maxlength="'.$maxlength.'" ';
+	}
+	$output = '<input name="'.$name.'" type="password" value="'.$value.'" size="'.$size.'" '.$maxlength.' alt="'.$alt.'" ';
+	if ($id != '') {
+		$output .= ' id="'.$id.'"';
+	} else {
+		$htmlid = 'pass-'.sprintf ('%04d', $idcounter);
+		$output .= ' id="'.$htmlid.'"';
+	}
+	if ($disabled)
+		$output .= ' disabled';
+	if ($attributes != '')
+		$output .= ' '.$attributes;
+	$output .= ' />';
+	if ($return)
+		return $output;
+	echo $output;
+}
+
+
 /**
 * Render an input text element. 
 * 
--- a/pandora_console/index.php
+++ b/pandora_console/index.php
@ -65,12 +65,9 @@ require_once ("include/functions.php");
 require_once ("include/functions_db.php");
 //We should require this or you might end up with some empty strings
 load_extensions ($config['extensions']);
-?>

-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html>
-<head>
-<?php
+echo '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head>';
+
 // Pure mode (without menu, header and footer).
 $config["pure"] = get_parameter ("pure", 0);

@ -79,7 +76,7 @@ $intervalo = get_parameter ("refr", 0);
 if ($intervalo > 0){
 	// Agent selection filters and refresh
 	$query = 'http' . (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == TRUE ? 's': '') . '://' . $_SERVER['SERVER_NAME'];
-	if ($_SERVER['SERVER_PORT'] != 80)
+	if ($_SERVER['SERVER_PORT'] != 80 && (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == TRUE && $_SERVER['SERVER_PORT'] != 443))
 		$query .= ":" . $_SERVER['SERVER_PORT'];
 	
 	$query .= $_SERVER['SCRIPT_NAME'];
@ -95,8 +92,8 @@ if ($intervalo > 0){
 	}
 	if (isset ($_POST["ag_group"])) {
 		$ag_group = $_POST["ag_group"];
-		$query = 'http://' . $_SERVER['SERVER_NAME'];
-		if ($_SERVER['SERVER_PORT'] != 80)
+		$query = 'http' . (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == TRUE ? 's': '') . '://' . $_SERVER['SERVER_NAME'];
+		if ($_SERVER['SERVER_PORT'] != 80 && (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == TRUE && $_SERVER['SERVER_PORT'] != 443))
 			$query .= ":" . $_SERVER['SERVER_PORT'];
 		$query .= $_SERVER['REQUEST_URI'] . '&ag_group_refresh=' . $ag_group;
 	} else {
@ -104,8 +101,7 @@ if ($intervalo > 0){
 	}
 }

-?>
-<title>Pandora FMS - <?php echo __('the Flexible Monitoring System'); ?></title>
+echo '<title>Pandora FMS - '.__('the Flexible Monitoring System').'</title>
 <meta http-equiv="expires" content="0">
 <meta http-equiv="content-type" content="text/html; charset=utf-8">
 <meta name="resource-type" content="document">
@ -115,18 +111,18 @@ if ($intervalo > 0){
 <meta name="keywords" content="pandora, monitoring, system, GPL, software">
 <meta name="robots" content="index, follow">
 <link rel="icon" href="images/pandora.ico" type="image/ico">
-<link rel="stylesheet" href="include/styles/<?php echo $config['style']; ?>.css" type="text/css">
-
+<link rel="stylesheet" href="include/styles/'.$config["style"].'.css" type="text/css">
 <script type="text/javascript" src="include/javascript/wz_jsgraphics.js"></script>
 <script type="text/javascript" src="include/javascript/pandora.js"></script>
-</head>
+</head>';

-<?php
 // Show custom background
-if ($config["pure"] == 0)
+if ($config["pure"] == 0) {
 	echo '<body bgcolor="#555555">';
-else
+} else {
 	echo '<body bgcolor="#FFFFFF">';
+}
+
 $REMOTE_ADDR = $_SERVER['REMOTE_ADDR'];

 // Login process 
@ -153,32 +149,36 @@ if (! isset ($_SESSION['id_usuario']) && isset ($_GET["login"])) {
 			logon_db ($nick, $REMOTE_ADDR);
 			$_SESSION['id_usuario'] = $nick;
 			$config['id_user'] = $nick;
+			unset ($_GET['pass'], $pass);
 		} else {
 			// Login failed (bad password)
 			unset ($_GET["sec2"]);
-			include "general/logon_failed.php";
-			// change password to do not show all string
-			$primera = substr ($pass,0,1);
-			$ultima = substr ($pass, strlen ($pass) - 1, 1);
-			$pass = $primera . "****" . $ultima;
+			require "general/logon_failed.php";
+			// change password to do not show any string
+			// $primera = substr ($pass,0,1);
+			// $ultima = substr ($pass, strlen ($pass) - 1, 1);
+			// $pass = $primera . "****" . $ultima;
 			audit_db ($nick, $REMOTE_ADDR, "Logon Failed",
-				  "Incorrect password: " . $nick . " / " . $pass);
+				  "Incorrect password: " . $nick);
 			exit;
 		}
 	} else {
 		// User not known
 		unset ($_GET["sec2"]);
-		include "general/logon_failed.php";
-		$primera = substr ($pass, 0, 1);
-		$ultima = substr ($pass, strlen ($pass) - 1, 1);
-		$pass = $primera . "****" . $ultima;
+		require "general/logon_failed.php";
+		// do not show any password string. Unsafe especially with
+		// short passwords
+		//$primera = substr ($pass, 0, 1);
+		//$ultima = substr ($pass, strlen ($pass) - 1, 1);
+		//$pass = $primera . "****" . $ultima;
 		audit_db ($nick, $REMOTE_ADDR, "Logon Failed",
-			  "Invalid username: " . $nick . " / " . $pass);
+			  "Invalid username: " . $nick);
 		exit;
 	}
 } elseif (! isset ($_SESSION['id_usuario'])) {
 	// There is no user connected
 	include "general/login_page.php";
+	echo '</body></html>';
 	exit;
 } else {
 	// There is session for id_usuario
@ -198,8 +198,9 @@ if (isset ($_GET["sec2"])){
 	$sec2 = get_parameter_get ('sec2');
 	$sec2 = parameter_extra_clean ($sec2);
 	$page = $sec2;
-} else
+} else {
 	$sec2 = "";
+}

 if (isset ($_GET["sec"])){
 	$sec = get_parameter_get ('sec');
@ -215,12 +216,9 @@ session_write_close();

 // Header
 if ($config["pure"] == 0) {
-	echo '<div id="container">';
-	echo '<div id="head">';
+	echo '<div id="container"><div id="head">';
 	require ("general/header.php"); 
-	echo '</div>';
-	echo '<div id="page">';
-	echo '<div id="menu">';
+	echo '</div><div id="page"><div id="menu">';
 	require ("general/main_menu.php");
 	echo '</div>';
 } else {
@ -246,17 +244,18 @@ if ($page != "") {
 			}
 		}
 	} else {
-		echo "<br><b class='error'>".__('Sorry! I can\'t find the page!')."</b>";
+		echo '<br><b class="error">'.__('Sorry! I can\'t find the page!').'</b>';
 	}
-} else
+} else {
 	require ("general/logon_ok.php");  //default
+}

 if ($config["pure"] == 0) {    
 	echo '</div>'; // main
 	echo '<div style="clear:both"></div>';
-	echo '</div>'; // page
+	echo '</div>'; // page (id = page)
 } else {
-	echo "</div>";
+	echo "</div>"; // main_pure
 }

 if ($config["pure"] == 0) {