Merge branch 'ent-5436-Vulnerabilidad' into 'develop'

fix bug when saving netflow filters

See merge request artica/pandorafms!3064
This commit is contained in:
Daniel Rodriguez 2020-02-21 13:27:34 +01:00
commit 4e403bca72
2 changed files with 5 additions and 5 deletions

View File

@ -903,7 +903,7 @@ function netflow_get_command($filter)
* *
* @return string Command line argument string. * @return string Command line argument string.
*/ */
function netflow_get_filter_arguments($filter) function netflow_get_filter_arguments($filter, $safe_input=false)
{ {
// Advanced filter. // Advanced filter.
$filter_args = ''; $filter_args = '';
@ -1015,7 +1015,7 @@ function netflow_get_filter_arguments($filter)
} }
if ($filter_args != '') { if ($filter_args != '') {
$filter_args = escapeshellarg($filter_args); $filter_args = ($safe_input === true) ? io_safe_input(escapeshellarg($filter_args)) : escapeshellarg($filter_args);
} }
return $filter_args; return $filter_args;
@ -1673,7 +1673,7 @@ function netflow_get_top_data(
// Get the command to call nfdump. // Get the command to call nfdump.
$agg_command = sprintf( $agg_command = sprintf(
'%s -q -o csv -n %s -s %s/bytes -t %s-%s', '%s -q -o csv -n %s -s %s/bytes -t %s-%s',
netflow_get_command($filter), io_safe_output(netflow_get_command($filter)),
$max, $max,
$aggregate, $aggregate,
date($nfdump_date_format, $start_date), date($nfdump_date_format, $start_date),

View File

@ -154,7 +154,7 @@ if (!is_metaconsole()) {
// Save user defined filter. // Save user defined filter.
if ($save != '' && check_acl($config['id_user'], 0, 'AW')) { if ($save != '' && check_acl($config['id_user'], 0, 'AW')) {
// Save filter args. // Save filter args.
$filter['filter_args'] = netflow_get_filter_arguments($filter); $filter['filter_args'] = netflow_get_filter_arguments($filter, true);
$filter_id = db_process_sql_insert('tnetflow_filter', $filter); $filter_id = db_process_sql_insert('tnetflow_filter', $filter);
if ($filter_id === false) { if ($filter_id === false) {
@ -171,7 +171,7 @@ if ($save != '' && check_acl($config['id_user'], 0, 'AW')) {
unset($filter_copy['id_group']); unset($filter_copy['id_group']);
// Save filter args. // Save filter args.
$filter_copy['filter_args'] = netflow_get_filter_arguments($filter_copy); $filter_copy['filter_args'] = netflow_get_filter_arguments($filter_copy, true);
$result = db_process_sql_update( $result = db_process_sql_update(
'tnetflow_filter', 'tnetflow_filter',