tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-28 08:14:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improved code and fix xss vulnerability

Browse Source
This commit is contained in:
José González 2021-05-27 14:55:01 +02:00
parent 9103f671e2
commit 3aee7e7c4d
1 changed files with 24 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
pandora_console/operation/visual_console/view.php
View File

@ -1,9 +1,8 @@
<?php <?php
/** /**
* Extension to manage a list of gateways and the node address where they should * Actual View script for Visual Consoles.
* point to.
* *
* @category Extensions * @category Operation
* @package Pandora FMS * @package Pandora FMS
* @subpackage Community * @subpackage Community
* @version 1.0.0 * @version 1.0.0
@ -27,6 +26,7 @@
* ============================================================================ * ============================================================================
*/ */
// Begin.
global $config; global $config;
// Login check. // Login check.
@ -93,14 +93,14 @@ try {
$visualConsoleData = $visualConsole->toArray(); $visualConsoleData = $visualConsole->toArray();
$groupId = $visualConsoleData['groupId']; $groupId = $visualConsoleData['groupId'];
$visualConsoleName = $visualConsoleData['name']; $visualConsoleName = io_safe_input(strip_tags(io_safe_output($visualConsoleData['name'])));
// ACL. // ACL.
$aclRead = check_acl_restricted_all($config['id_user'], $groupId, 'VR'); $aclRead = (bool) check_acl_restricted_all($config['id_user'], $groupId, 'VR');
$aclWrite = check_acl_restricted_all($config['id_user'], $groupId, 'VW'); $aclWrite = (bool) check_acl_restricted_all($config['id_user'], $groupId, 'VW');
$aclManage = check_acl_restricted_all($config['id_user'], $groupId, 'VM'); $aclManage = (bool) check_acl_restricted_all($config['id_user'], $groupId, 'VM');
if (!$aclRead && !$aclWrite && !$aclManage) { if ($aclRead === false && $aclWrite === false && $aclManage === false) {
db_pandora_audit( db_pandora_audit(
'ACL Violation', 'ACL Violation',
'Trying to access visual console without group access' 'Trying to access visual console without group access'
@ -121,9 +121,9 @@ $options['consoles_list']['text'] = '<a href="index.php?sec=network&sec2=godmode
] ]
).'</a>'; ).'</a>';
if ($aclWrite || $aclManage) { if ($aclWrite === true || $aclManage === true) {
$action = get_parameterBetweenListValues( $action = get_parameterBetweenListValues(
is_metaconsole() ? 'action2' : 'action', (is_metaconsole() === true) ? 'action2' : 'action',
[ [
'new', 'new',
'save', 'save',
@ -167,7 +167,7 @@ if ($aclWrite || $aclManage) {
] ]
).'</a>'; ).'</a>';
if (enterprise_installed()) { if (enterprise_installed() === true) {
$options['wizard_services']['text'] = '<a href="'.$baseUrl.'&tab=wizard_services&id_visual_console='.$visualConsoleId.'">'.html_print_image( $options['wizard_services']['text'] = '<a href="'.$baseUrl.'&tab=wizard_services&id_visual_console='.$visualConsoleId.'">'.html_print_image(
'images/wand_services.png', 'images/wand_services.png',
true, true,
@ -198,7 +198,7 @@ $options['view']['text'] = '<a href="index.php?sec=network&sec2=operation/visual
).'</a>'; ).'</a>';
$options['view']['active'] = true; $options['view']['active'] = true;
if (!is_metaconsole()) { if (is_metaconsole() === false) {
if (!$config['pure']) { if (!$config['pure']) {
$options['pure']['text'] = '<a href="index.php?sec=network&sec2=operation/visual_console/render_view&id='.$visualConsoleId.'&pure=1&refr='.$refr.'">'.html_print_image( $options['pure']['text'] = '<a href="index.php?sec=network&sec2=operation/visual_console/render_view&id='.$visualConsoleId.'&pure=1&refr='.$refr.'">'.html_print_image(
'images/full_screen.png', 'images/full_screen.png',
@ -368,7 +368,7 @@ if ($pure === false) {
echo '</div>'; echo '</div>';
echo '</div>'; echo '</div>';
if ($aclWrite || $aclManage) { if ($aclWrite === true || $aclManage === true) {
echo html_print_checkbox_switch('edit-mode', 1, false, true); echo html_print_checkbox_switch('edit-mode', 1, false, true);
} }
@ -394,7 +394,7 @@ if ($pure === true) {
// Quit fullscreen. // Quit fullscreen.
echo '<li class="nomn">'; echo '<li class="nomn">';
if (is_metaconsole()) { if (is_metaconsole() === true) {
$urlNoFull = 'index.php?sec=screen&sec2=screens/screens&action=visualmap&pure=0&id_visualmap='.$visualConsoleId.'&refr='.$refr; $urlNoFull = 'index.php?sec=screen&sec2=screens/screens&action=visualmap&pure=0&id_visualmap='.$visualConsoleId.'&refr='.$refr;
} else { } else {
$urlNoFull = 'index.php?sec=network&sec2=operation/visual_console/render_view&id='.$visualConsoleId.'&refr='.$refr; $urlNoFull = 'index.php?sec=network&sec2=operation/visual_console/render_view&id='.$visualConsoleId.'&refr='.$refr;
@ -407,7 +407,7 @@ if ($pure === true) {
// Countdown. // Countdown.
echo '<li class="nomn">'; echo '<li class="nomn">';
if (is_metaconsole()) { if (is_metaconsole() === true) {
echo '<div class="vc-refr-meta">'; echo '<div class="vc-refr-meta">';
} else { } else {
echo '<div class="vc-refr">'; echo '<div class="vc-refr">';
@ -432,11 +432,13 @@ if ($pure === true) {
// Console name. // Console name.
echo '<li class="nomn">'; echo '<li class="nomn">';
if (is_metaconsole()) {
echo '<div class="vc-title-meta">'.$visualConsoleName.'</div>'; html_print_div(
} else { [
echo '<div class="vc-title">'.$visualConsoleName.'</div>'; 'class' => (is_metaconsole() === true) ? 'vc-title-meta' : 'vc-title',
} 'content' => $visualConsoleName,
]
);
echo '</li>'; echo '</li>';
@ -465,7 +467,7 @@ if ($pure === true) {
// Check groups can access user. // Check groups can access user.
$aclUserGroups = []; $aclUserGroups = [];
if (!users_can_manage_group_all('AR')) { if (users_can_manage_group_all('AR') === false) {
$aclUserGroups = array_keys(users_get_groups(false, 'AR')); $aclUserGroups = array_keys(users_get_groups(false, 'AR'));
} }
@ -489,7 +491,7 @@ ui_require_css_file('form');
<script type="text/javascript"> <script type="text/javascript">
var container = document.getElementById("visual-console-container"); var container = document.getElementById("visual-console-container");
var props = <?php echo (string) $visualConsole; ?>; var props = <?php echo (string) $visualConsole; ?>;
var items = <?php echo '['.implode($visualConsoleItems, ',').']'; ?>; var items = <?php echo '['.implode(',', $visualConsoleItems).']'; ?>;
var baseUrl = "<?php echo ui_get_full_url('/', false, false, false); ?>"; var baseUrl = "<?php echo ui_get_full_url('/', false, false, false); ?>";
var controls = document.getElementById('vc-controls'); var controls = document.getElementById('vc-controls');
autoHideElement(controls, 1000); autoHideElement(controls, 1000);