From 3f09d13941d4e565862fd68585a3603164d51d09 Mon Sep 17 00:00:00 2001
From: manuel <manuel.montes@artica.es>
Date: Tue, 24 Dec 2019 10:25:32 +0100
Subject: [PATCH 1/5] Fixed visual bug in grouped report item

---
 .../godmode/reporting/reporting_builder.item_editor.php         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pandora_console/godmode/reporting/reporting_builder.item_editor.php b/pandora_console/godmode/reporting/reporting_builder.item_editor.php
index 98ee756b7b..3e216679d6 100755
--- a/pandora_console/godmode/reporting/reporting_builder.item_editor.php
+++ b/pandora_console/godmode/reporting/reporting_builder.item_editor.php
@@ -3318,7 +3318,7 @@ function print_General_list($width, $action, $idItem=null, $type='general')
                 case 'new':
                     ?>
                     <tr id="general_template" style="" class="datos">
-                        <td colspan="3">
+                        <td colspan="4">
                             <?php
                             echo __('Please save the report to start adding items into the list.');
                             ?>

From 3d0b71d953352569560ae2c318ae50d0c360a7c6 Mon Sep 17 00:00:00 2001
From: Luis Calvo <luis.calvo@artica.es>
Date: Tue, 21 Jan 2020 11:05:49 +0100
Subject: [PATCH 2/5] Added enconding to POST variables

---
 pandora_console/extensions/realtime_graphs/ajax.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pandora_console/extensions/realtime_graphs/ajax.php b/pandora_console/extensions/realtime_graphs/ajax.php
index 73d3c20748..dea94a5753 100644
--- a/pandora_console/extensions/realtime_graphs/ajax.php
+++ b/pandora_console/extensions/realtime_graphs/ajax.php
@@ -109,6 +109,6 @@ if (empty($data)) {
 }
 
 echo '{
-	"label": "'.$graph_title.'",
-	"data": [["'.time().'", '.$data.']]
+	"label": "'.htmlspecialchars($graph_title, ENT_QUOTES).'",    
+	"data": [["'.time().'", '.htmlspecialchars($data, ENT_QUOTES).']]
 }';

From ca35bb64cc9143fa2c142afa5c0704fd7e44bbde Mon Sep 17 00:00:00 2001
From: Luis Calvo <luis.calvo@artica.es>
Date: Wed, 22 Jan 2020 10:17:35 +0100
Subject: [PATCH 3/5] Prepend folder to image to avoid Phar injection

---
 pandora_console/include/graphs/fgraph.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pandora_console/include/graphs/fgraph.php b/pandora_console/include/graphs/fgraph.php
index 40c79bbf51..11f4db2f43 100644
--- a/pandora_console/include/graphs/fgraph.php
+++ b/pandora_console/include/graphs/fgraph.php
@@ -57,6 +57,9 @@ switch ($graph_type) {
         $out_of_lim_str = io_safe_output(get_parameter('out_of_lim_str', false));
         $out_of_lim_image = get_parameter('out_of_lim_image', false);
 
+        // Add relative path to avoid phar object injection.
+        $out_of_lim_image = '../graphs/'.$out_of_lim_image;
+
         $title = get_parameter('title');
 
         $mode = get_parameter('mode', 1);

From 32b28bea0c7c708ed60c2d6bf9034ccb1a0a0173 Mon Sep 17 00:00:00 2001
From: Daniel Maya <daniel.maya@artica.es>
Date: Wed, 22 Jan 2020 11:10:02 +0100
Subject: [PATCH 4/5] Added warning in update manager offline

---
 .../update_manager/update_manager.offline.php | 11 +++-
 .../include/javascript/update_manager.js      | 50 +++++++++++++++++--
 2 files changed, 57 insertions(+), 4 deletions(-)

diff --git a/pandora_console/godmode/update_manager/update_manager.offline.php b/pandora_console/godmode/update_manager/update_manager.offline.php
index 8eff08d996..8fb4447772 100644
--- a/pandora_console/godmode/update_manager/update_manager.offline.php
+++ b/pandora_console/godmode/update_manager/update_manager.offline.php
@@ -46,6 +46,13 @@ if (! check_acl($config['id_user'], 0, 'PM')
 
 $baseurl = ui_get_full_url(false, false, false, false);
 
+$current_package = db_get_value(
+    'value',
+    'tconfig',
+    'token',
+    'current_package_enterprise'
+);
+
 ?>
 
 <!-- Add the stylesheet here cause somehow the 'ui_require_css_file' 
@@ -90,6 +97,8 @@ is not working on the metaconsole and there is no time to fix it -->
 
     var text1_package_file = "<?php echo __('There is a new update available'); ?>\n";
     var text2_package_file = "<?php echo __('There is a new update available to apply. Do you want to start the update process?'); ?>\n";
+    var text1_warning = "<?php echo __('WARNING'); ?>\n";
+    var text2_warning = "<?php echo __('This update does not correspond to the next version of Pandora'); ?>\n";
     var applying_mr = "<?php echo __('Applying DB MR'); ?>\n";
     var cancel_button = "<?php echo __('Cancel'); ?>\n";
     var ok_button = "<?php echo __('Ok'); ?>\n";
@@ -109,5 +118,5 @@ is not working on the metaconsole and there is no time to fix it -->
 <script src="<?php echo $baseurl; ?>/include/javascript/update_manager.js"></script>
 
 <script type="text/javascript">
-    form_upload("<?php echo $baseurl; ?>");
+    form_upload("<?php echo $baseurl; ?>", "<?php echo $current_package; ?>");
 </script>
diff --git a/pandora_console/include/javascript/update_manager.js b/pandora_console/include/javascript/update_manager.js
index 0cc385fb95..6f0aeda5c6 100644
--- a/pandora_console/include/javascript/update_manager.js
+++ b/pandora_console/include/javascript/update_manager.js
@@ -4,7 +4,7 @@
 
 var correct_install_progress = true;
 
-function form_upload(homeurl) {
+function form_upload(homeurl, current_package) {
   var home_url = typeof homeurl !== "undefined" ? homeurl + "/" : "";
 
   //Thanks to: http://tutorialzine.com/2013/05/mini-ajax-file-upload-form/
@@ -164,7 +164,7 @@ function form_upload(homeurl) {
             .change();
 
           // Begin the installation
-          install_package(res.package, homeurl);
+          install_package(res.package, homeurl, current_package);
         });
       } else {
         // Something has gone wrong!
@@ -214,7 +214,7 @@ function formatFileSize(bytes) {
   return (bytes / 1000).toFixed(2) + " KB";
 }
 
-function install_package(package, homeurl) {
+function install_package(package, homeurl, current_package) {
   var home_url = typeof homeurl !== "undefined" ? homeurl + "/" : "";
 
   $(
@@ -1235,6 +1235,50 @@ function install_package(package, homeurl) {
 
   $("#pkg_apply_dialog").html(dialog_text);
   $("#pkg_apply_dialog").dialog("open");
+
+  const number_update = package.match(/package_(\d+).oum/);
+
+  if (number_update === null || number_update[1] != current_package - 0 + 1) {
+    $(
+      "<div id='warning_pkg' class='dialog ui-dialog-content' title='" +
+        package_available +
+        "'></div>"
+    ).dialog({
+      resizable: true,
+      draggable: true,
+      modal: true,
+      overlay: {
+        opacity: 0.5,
+        background: "black"
+      },
+      width: 600,
+      height: 250,
+      buttons: [
+        {
+          text: ok_button,
+          click: function() {
+            $(this).dialog("close");
+          }
+        }
+      ]
+    });
+
+    var dialog_warning = "<div class='update_popup'>";
+    dialog_warning =
+      dialog_warning +
+      "<div class='update_text'><h3>" +
+      text1_warning +
+      "</h3>";
+    dialog_warning = dialog_warning + "<p>" + text2_warning + "</p></div>";
+    dialog_warning =
+      dialog_warning +
+      "<div class='update_icon'><img src='" +
+      home_url +
+      "images/icono_warning_mr.png'></div>";
+    dialog_warning = dialog_warning + "</div>";
+
+    $("#warning_pkg").html(dialog_warning);
+  }
 }
 
 function check_install_package(package, homeurl) {

From 18a3a747bd71dc3e45980b028f5072718e51fb2f Mon Sep 17 00:00:00 2001
From: marcos <marcos.alconada@artica.es>
Date: Wed, 22 Jan 2020 12:24:15 +0100
Subject: [PATCH 5/5] add wiki url alerts correlation

---
 pandora_console/include/functions.php | 39 +++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php
index 3be9676a28..89c53802b4 100644
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@@ -5480,6 +5480,45 @@ function get_help_info($section_name)
             } else {
                 $result .= 'Discovery&printable=yes';
             }
+
+        case 'alert_configure':
+            if ($es) {
+                $result .= 'Alerts#Correlation_alert_creation';
+            } else {
+                $result .= 'Alerts#Correlation_alert_creation';
+            }
+        break;
+
+        case 'alert_correlation':
+            if ($es) {
+                $result .= 'Alerts#Alert_correlation:_event_and_log_alerts';
+            } else {
+                $result .= 'Alerts#Alert_correlation:_event_and_log_alerts';
+            }
+        break;
+
+        case 'alert_rules':
+            if ($es) {
+                $result .= 'Alerts#Rules_within_a_correlation_alert';
+            } else {
+                $result .= 'Alerts#Rules_within_a_correlation_alert';
+            }
+        break;
+
+        case 'alert_fields':
+            if ($es) {
+                $result .= 'Alerts#Step_3:_Advanced_fields';
+            } else {
+                $result .= 'Alerts#Step_3:_Advanced_fields';
+            }
+        break;
+
+        case 'alert_triggering':
+            if ($es) {
+                $result .= 'Alerts#Configuring_an_alert_template';
+            } else {
+                $result .= 'Alerts#Configuring_an_alert_template';
+            }
         break;
     }