2010-11-02 Sergio Martin <sergio.martin@artica.es>
* lib/PandoraFMS/DB.pm lib/PandoraFMS/Core.pm lib/PandoraFMS/ReconServer.pm lib/PandoraFMS/DataServer.pm lib/PandoraFMS/Tools.pm: Fixed insert db operations in server to store the html entities. This improves fix bug 3096436 git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3499 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
zarzuelo
parent
0c2876b7a6
commit
7fb0138400
|
|
@ -1,3 +1,13 @@
|
|||
2010-11-02 Sergio Martin <sergio.martin@artica.es>
|
||||
|
||||
* lib/PandoraFMS/DB.pm
|
||||
lib/PandoraFMS/Core.pm
|
||||
lib/PandoraFMS/ReconServer.pm
|
||||
lib/PandoraFMS/DataServer.pm
|
||||
lib/PandoraFMS/Tools.pm: Fixed insert db operations
|
||||
in server to store the html entities. This improves
|
||||
fix bug 3096436
|
||||
|
||||
2010-11-02 Sergio Martin <sergio.martin@artica.es>
|
||||
|
||||
* util/recon_scripts/snmpdevices.pl: Fixed a missed typo
|
||||
|
|
|
|||
|
|
@ -1090,7 +1090,7 @@ sub pandora_create_module ($$$$$$$$$$) {
|
|||
$post_process = 0 if ($post_process eq '');
|
||||
|
||||
my $module_id = db_insert($dbh, 'INSERT INTO tagente_modulo (`id_agente`, `id_tipo_modulo`, `nombre`, `max`, `min`, `post_process`, `descripcion`, `module_interval`, `id_modulo`)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, 1)', $agent_id, $module_type_id, $module_name, $max, $min, $post_process, $description, $interval);
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, 1)', $agent_id, $module_type_id, safe_input($module_name), $max, $min, $post_process, $description, $interval);
|
||||
db_do ($dbh, 'INSERT INTO tagente_estado (`id_agente_modulo`, `id_agente`, `last_try`) VALUES (?, ?, \'0000-00-00 00:00:00\')', $module_id, $agent_id);
|
||||
return $module_id;
|
||||
}
|
||||
|
|
@ -1134,12 +1134,12 @@ sub pandora_create_agent ($$$$$$$$$$;$$$$$) {
|
|||
# Test if the optional positional parameters are defined or GIS is disabled
|
||||
if (!defined ($timezone_offset) ) {
|
||||
$agent_id = db_insert ($dbh, 'INSERT INTO tagente (`nombre`, `direccion`, `comentarios`, `id_grupo`, `id_os`, `server_name`, `intervalo`, `id_parent`, `modo`)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, 1)', $agent_name, $address, $description, $group_id, $os_id, $server_name, $interval, $parent_id);
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, 1)', safe_input($agent_name), $address, $description, $group_id, $os_id, safe_input($server_name), $interval, $parent_id);
|
||||
}
|
||||
else {
|
||||
$agent_id = db_insert ($dbh, 'INSERT INTO tagente (`nombre`, `direccion`, `comentarios`, `id_grupo`, `id_os`, `server_name`, `intervalo`, `id_parent`,
|
||||
`timezone_offset`, `modo` ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, 1)', $agent_name, $address,
|
||||
$description, $group_id, $os_id, $server_name, $interval, $parent_id, $timezone_offset);
|
||||
`timezone_offset`, `modo` ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, 1)', safe_input($agent_name), $address,
|
||||
$description, $group_id, $os_id, safe_input($server_name), $interval, $parent_id, $timezone_offset);
|
||||
}
|
||||
if (defined ($longitude) && defined ($latitude ) && $pa_config->{'activate_gis'} == 1 ) {
|
||||
if (!defined($altitude)) {
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ package PandoraFMS::DB;
|
|||
use strict;
|
||||
use warnings;
|
||||
use DBI;
|
||||
use PandoraFMS::Tools;
|
||||
|
||||
require Exporter;
|
||||
|
||||
|
|
@ -101,7 +102,7 @@ sub get_action_id ($$) {
|
|||
sub get_agent_id ($$) {
|
||||
my ($dbh, $agent_name) = @_;
|
||||
|
||||
my $rc = get_db_value ($dbh, "SELECT id_agente FROM tagente WHERE nombre = ? OR direccion = ?", $agent_name, $agent_name);
|
||||
my $rc = get_db_value ($dbh, "SELECT id_agente FROM tagente WHERE nombre = ? OR direccion = ?", safe_input($agent_name), $agent_name);
|
||||
return defined ($rc) ? $rc : -1;
|
||||
}
|
||||
|
||||
|
|
@ -113,7 +114,7 @@ sub get_server_id ($$$) {
|
|||
|
||||
my $rc = get_db_value ($dbh, "SELECT id_server FROM tserver
|
||||
WHERE name = ? AND server_type = ?",
|
||||
$server_name, $server_type);
|
||||
safe_input($server_name), $server_type);
|
||||
return defined ($rc) ? $rc : -1;
|
||||
}
|
||||
|
||||
|
|
@ -123,7 +124,7 @@ sub get_server_id ($$$) {
|
|||
sub get_group_id ($$) {
|
||||
my ($dbh, $group_name) = @_;
|
||||
|
||||
my $rc = get_db_value ($dbh, "SELECT id_grupo FROM tgrupo WHERE nombre = ?", $group_name);
|
||||
my $rc = get_db_value ($dbh, "SELECT id_grupo FROM tgrupo WHERE nombre = ?", safe_input($group_name));
|
||||
return defined ($rc) ? $rc : -1;
|
||||
}
|
||||
|
||||
|
|
@ -163,7 +164,7 @@ sub get_module_name ($$) {
|
|||
sub get_agent_module_id ($$$) {
|
||||
my ($dbh, $module_name, $agent_id) = @_;
|
||||
|
||||
my $rc = get_db_value ($dbh, "SELECT id_agente_modulo FROM tagente_modulo WHERE nombre = ? AND id_agente = ?", $module_name, $agent_id);
|
||||
my $rc = get_db_value ($dbh, "SELECT id_agente_modulo FROM tagente_modulo WHERE nombre = ? AND id_agente = ?", safe_input($module_name), $agent_id);
|
||||
return defined ($rc) ? $rc : -1;
|
||||
}
|
||||
|
||||
|
|
@ -173,7 +174,7 @@ sub get_agent_module_id ($$$) {
|
|||
sub get_template_id ($$) {
|
||||
my ($dbh, $template_name) = @_;
|
||||
|
||||
my $rc = get_db_value ($dbh, "SELECT id FROM talert_templates WHERE name = ?", $template_name);
|
||||
my $rc = get_db_value ($dbh, "SELECT id FROM talert_templates WHERE name = ?", safe_input($template_name));
|
||||
return defined ($rc) ? $rc : -1;
|
||||
}
|
||||
|
||||
|
|
@ -202,7 +203,7 @@ sub is_group_disabled ($$) {
|
|||
sub get_module_id ($$) {
|
||||
my ($dbh, $module_name) = @_;
|
||||
|
||||
my $rc = get_db_value ($dbh, "SELECT id_tipo FROM ttipo_modulo WHERE nombre = ?", $module_name);
|
||||
my $rc = get_db_value ($dbh, "SELECT id_tipo FROM ttipo_modulo WHERE nombre = ?", safe_input($module_name));
|
||||
return defined ($rc) ? $rc : -1;
|
||||
}
|
||||
|
||||
|
|
@ -212,7 +213,7 @@ sub get_module_id ($$) {
|
|||
sub get_plugin_id ($$) {
|
||||
my ($dbh, $plugin_name) = @_;
|
||||
|
||||
my $rc = get_db_value ($dbh, "SELECT id FROM tplugin WHERE name = ?", $plugin_name);
|
||||
my $rc = get_db_value ($dbh, "SELECT id FROM tplugin WHERE name = ?", safe_input($plugin_name));
|
||||
return defined ($rc) ? $rc : -1;
|
||||
}
|
||||
|
||||
|
|
@ -226,7 +227,7 @@ sub get_module_group_id ($$) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
my $rc = get_db_value ($dbh, "SELECT id_mg FROM tmodule_group WHERE name = ?", $module_group_name);
|
||||
my $rc = get_db_value ($dbh, "SELECT id_mg FROM tmodule_group WHERE name = ?", safe_input($module_group_name));
|
||||
return defined ($rc) ? $rc : -1;
|
||||
}
|
||||
|
||||
|
|
@ -245,7 +246,7 @@ sub get_nc_profile_name ($$) {
|
|||
sub get_profile_id ($$) {
|
||||
my ($dbh, $profile_name) = @_;
|
||||
|
||||
my $rc = get_db_value ($dbh, "SELECT id_perfil FROM tperfil WHERE name = ?", $profile_name);
|
||||
my $rc = get_db_value ($dbh, "SELECT id_perfil FROM tperfil WHERE name = ?", safe_input($profile_name));
|
||||
return defined ($rc) ? $rc : -1;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -403,7 +403,7 @@ sub process_module_data ($$$$$$$$$) {
|
|||
$dbh) = @_;
|
||||
|
||||
# Get agent data
|
||||
my $agent = get_db_single_row ($dbh, 'SELECT * FROM tagente WHERE nombre = ?', $agent_name);
|
||||
my $agent = get_db_single_row ($dbh, 'SELECT * FROM tagente WHERE nombre = ?', safe_input($agent_name));
|
||||
if (! defined ($agent)) {
|
||||
logger($pa_config, "Invalid agent '$agent_name' for module '$module_name'.", 3);
|
||||
return;
|
||||
|
|
@ -425,7 +425,7 @@ sub process_module_data ($$$$$$$$$) {
|
|||
|
||||
# Get module data or create it if it does not exist
|
||||
$ModuleSem->down ();
|
||||
my $module = get_db_single_row ($dbh, 'SELECT * FROM tagente_modulo WHERE id_agente = ? AND nombre = ?', $agent->{'id_agente'}, $module_name);
|
||||
my $module = get_db_single_row ($dbh, 'SELECT * FROM tagente_modulo WHERE id_agente = ? AND nombre = ?', $agent->{'id_agente'}, safe_input($module_name));
|
||||
if (! defined ($module)) {
|
||||
# Do not auto create modules
|
||||
if ($pa_config->{'autocreate'} ne '1') {
|
||||
|
|
@ -453,7 +453,7 @@ sub process_module_data ($$$$$$$$$) {
|
|||
pandora_create_module ($pa_config, $agent->{'id_agente'}, $module_id, $module_name,
|
||||
$module_conf->{'max'}, $module_conf->{'min'}, $module_conf->{'post_process'},
|
||||
$module_conf->{'descripcion'}, $module_conf->{'module_interval'}, $dbh);
|
||||
$module = get_db_single_row ($dbh, 'SELECT * FROM tagente_modulo WHERE id_agente = ? AND nombre = ?', $agent->{'id_agente'}, $module_name);
|
||||
$module = get_db_single_row ($dbh, 'SELECT * FROM tagente_modulo WHERE id_agente = ? AND nombre = ?', $agent->{'id_agente'}, safe_input($module_name));
|
||||
if (! defined ($module)) {
|
||||
logger($pa_config, "Could not create module '$module_name' for agent '$agent_name'.", 3);
|
||||
$ModuleSem->up ();
|
||||
|
|
|
|||
|
|
@ -377,7 +377,7 @@ sub create_network_profile_modules {
|
|||
# Create the module
|
||||
my $module_id = db_insert ($dbh, 'INSERT INTO tagente_modulo (id_agente, id_tipo_modulo, descripcion, nombre, max, min, module_interval, tcp_port, tcp_send, tcp_rcv, snmp_community, snmp_oid, ip_target, id_module_group, flag, disabled, plugin_user, plugin_pass, plugin_parameter, max_timeout, id_modulo )
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 1, 0, ?, ?, ?, ?, ?)',
|
||||
$agent_id, $component->{'type'}, $component->{'description'}, $component->{'name'}, $component->{'max'}, $component->{'min'}, $component->{'module_interval'}, $component->{'tcp_port'}, $component->{'tcp_send'}, $component->{'tcp_rcv'}, $component->{'snmp_community'},
|
||||
$agent_id, $component->{'type'}, $component->{'description'}, safe_input($component->{'name'}), $component->{'max'}, $component->{'min'}, $component->{'module_interval'}, $component->{'tcp_port'}, $component->{'tcp_send'}, $component->{'tcp_rcv'}, $component->{'snmp_community'},
|
||||
$component->{'snmp_oid'}, $addr, $component->{'id_module_group'}, $component->{'plugin_user'}, $component->{'plugin_pass'}, $component->{'plugin_parameter'}, $component->{'max_timeout'}, $component->{'id_modulo'});
|
||||
|
||||
# An entry in tagente_estado is necessary for the module to work
|
||||
|
|
|
|||
|
|
@ -59,6 +59,8 @@ our @EXPORT = qw(
|
|||
pandora_ping
|
||||
pandora_ping_latency
|
||||
ticks_totime
|
||||
safe_input
|
||||
safe_output
|
||||
);
|
||||
|
||||
##########################################################################
|
||||
|
|
@ -77,6 +79,81 @@ sub pandora_trash_ascii {
|
|||
return $output
|
||||
}
|
||||
|
||||
##########################################################################
|
||||
## Convert the $value encode in html entity to clear char string.
|
||||
##########################################################################
|
||||
sub safe_input($) {
|
||||
my $value = shift;
|
||||
|
||||
$value = encode_entities ($value);
|
||||
|
||||
#//Replace the character '\' for the equivalent html entitie
|
||||
$value =~ s/\\/\/gi;
|
||||
|
||||
#// First attempt to avoid SQL Injection based on SQL comments
|
||||
#// Specific for MySQL.
|
||||
$value =~ s/\/\*//*/gi;
|
||||
$value =~ s/\*\//*//gi;
|
||||
|
||||
#//Replace ( for the html entitie
|
||||
$value =~ s/\(/(/gi;
|
||||
|
||||
#//Replace ( for the html entitie
|
||||
$value =~ s/\)/)/gi;
|
||||
|
||||
#//Replace some characteres for html entities
|
||||
for (my $i=0;$i<33;$i++) {
|
||||
my $pattern = chr($i);
|
||||
my $hex = ascii_to_html($i);
|
||||
$value =~ s/$pattern/$hex/gi;
|
||||
}
|
||||
|
||||
return $value;
|
||||
}
|
||||
|
||||
##########################################################################
|
||||
## Convert the html entities to value encode to rebuild char string.
|
||||
##########################################################################
|
||||
sub safe_output($) {
|
||||
my $value = shift;
|
||||
|
||||
$value = decode_entities ($value);
|
||||
|
||||
#//Replace the character '\' for the equivalent html entitie
|
||||
$value =~ s/\/\\/gi;
|
||||
|
||||
#// First attempt to avoid SQL Injection based on SQL comments
|
||||
#// Specific for MySQL.
|
||||
$value =~ s//*/\/\*/gi;
|
||||
$value =~ s/*//\*\//gi;
|
||||
|
||||
#//Replace ( for the html entitie
|
||||
$value =~ s/(/\(/gi;
|
||||
|
||||
#//Replace ( for the html entitie
|
||||
$value =~ s/)/\)/gi;
|
||||
|
||||
#//Replace some characteres for html entities
|
||||
for (my $i=0;$i<33;$i++) {
|
||||
my $pattern = chr($i);
|
||||
my $hex = ascii_to_html($i);
|
||||
$value =~ s/$hex/$pattern/gi;
|
||||
}
|
||||
|
||||
return $value;
|
||||
}
|
||||
|
||||
##########################################################################
|
||||
# SUB ascii_to_html (string)
|
||||
# Convert an ascii string to hexadecimal
|
||||
##########################################################################
|
||||
|
||||
sub ascii_to_html($) {
|
||||
my $ascii = shift;
|
||||
|
||||
return "&#x".substr(unpack("H*", pack("N", $ascii)),6,3).";";
|
||||
}
|
||||
|
||||
|
||||
##########################################################################
|
||||
# SUB pandora_get_os (string)
|
||||
|
|
|
|||
Loading…
Reference in New Issue