[Console] Fixed a vulnerability into the 'fgraph.php' script

pandora_console/godmode/reporting/visual_console_builder.editor.js

@@ -32,8 +32,6 @@ var SIZE_GRID = 16; //Const the size (for width and height) of grid.
 var img_handler_start;
 var img_handler_end;
 
-var font;
-
 function toggle_advance_options_palette(close) {
 	if ($("#advance_options").css('display') == 'none') {
 		$("#advance_options").css('display', '');
@@ -58,23 +56,6 @@ function visual_map_main() {
 		img_handler_end = data;
 	});
 
-	//Get the actual system font.
-	parameter = Array();
-	parameter.push ({name: "page", value: "include/ajax/visual_console_builder.ajax"});
-	parameter.push ({name: "action", value: "get_font"});
-	parameter.push ({name: "id_visual_console",
-		value: id_visual_console});
-	jQuery.ajax({
-		url: get_url_ajax(),
-		data: parameter,
-		type: "POST",
-		dataType: 'json',
-		success: function (data)
-		{
-			font = data['font'];
-		}
-	});
-
 	//Get the list of posible parents
 	parents = Base64.decode($("input[name='parents_load']").val());
 	parents = eval("(" + parents + ")");
@@ -1912,9 +1893,9 @@ function setPercentileBar(id_data, values) {
 				value_text = module_value + " " + unit_text;
 			}
 
-			var img = url_hack_metaconsole + 'include/graphs/fgraph.php?homeurl=../../&graph_type=progressbar&height=15&' +
+			var img = url_hack_metaconsole + 'include/graphs/fgraph.php?graph_type=progressbar&height=15&' +
 				'width=' + width_percentile + '&mode=1&progress=' + percentile +
-				'&font=' + font + '&value_text=' + value_text + '&colorRGB=' + colorRGB;
+				'&value_text=' + value_text + '&colorRGB=' + colorRGB;
 
 			$("#"+  id_data).attr('src', img);
 			
@@ -2035,9 +2016,9 @@ function setPercentileBubble(id_data, values) {
 				value_text = module_value + " " + unit_text;
 			}
 
-			var img = url_hack_metaconsole + 'include/graphs/fgraph.php?homeurl=../../&graph_type=progressbubble&height=' + width_percentile + '&' +
+			var img = url_hack_metaconsole + 'include/graphs/fgraph.php?graph_type=progressbubble&height=' + width_percentile + '&' +
 				'width=' + width_percentile + '&mode=1&progress=' + percentile +
-				'&font=' + font + '&value_text=' + value_text + '&colorRGB=' + colorRGB;
+				'&value_text=' + value_text + '&colorRGB=' + colorRGB;
 
 			$("#image_" + id_data).attr('src', img);
 			

pandora_console/include/functions_graph.php

@@ -2457,10 +2457,10 @@ function progress_bar($progress, $width, $height, $title = '', $mode = 1, $value
 	require_once("include_graph_dependencies.php");
 	include_graphs_dependencies($config['homedir'].'/');
 	$src = ui_get_full_url(
-		"/include/graphs/fgraph.php?homeurl=../../&graph_type=progressbar" .
-		"&width=".$width."&homedir=".$config['homedir']."&height=".$height."&progress=".$progress.
+		"/include/graphs/fgraph.php?graph_type=progressbar" .
+		"&width=".$width."&height=".$height."&progress=".$progress.
 		"&mode=" . $mode . "&out_of_lim_str=".$out_of_lim_str .
-		"&title=".$title."&font=".$config['fontpath']."&value_text=". $value_text . 
+		"&title=".$title."&value_text=". $value_text . 
 		"&colorRGB=". $colorRGB, false, false, false
 		);
 	
@@ -2492,10 +2492,10 @@ function progress_bubble($progress, $width, $height, $title = '', $mode = 1, $va
 	include_graphs_dependencies($config['homedir'].'/');
 	
 	return "<img title='" . $title . "' alt='" . $title . "'" .
-		" src='" . $config['homeurl'] . $hack_metaconsole . "/include/graphs/fgraph.php?homeurl=../../&graph_type=progressbubble" .
+		" src='" . $config['homeurl'] . $hack_metaconsole . "/include/graphs/fgraph.php?graph_type=progressbubble" .
 		"&width=".$width."&height=".$height."&progress=".$progress.
 		"&mode=" . $mode . "&out_of_lim_str=".$out_of_lim_str .
-		"&title=".$title."&font=".$config['fontpath']."&value_text=". $value_text . 
+		"&title=".$title."&value_text=". $value_text . 
 		"&colorRGB=". $colorRGB . "' />";
 }
 

pandora_console/include/graphs/fgraph.php

@@ -10,48 +10,29 @@
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 // GNU General Public License for more details.
 
-$ttl = 1;
-$homeurl = '';
-
-if (isset($_GET['homeurl'])) {
-	$homeurl = $_GET['homeurl'];
-}
-else $homeurl = '';
-
-$homeurl = ((bool)filter_var($homeurl, FILTER_VALIDATE_URL) == 1) ? '' : $homeurl;
-
-if (isset($_GET['ttl'])) {
-	$ttl = $_GET['ttl'];
-}
-else $ttl_param = 1;
-
-if (isset($_GET['graph_type'])) {
-	$graph_type = $_GET['graph_type'];
-}
-else $graph_type = '';
-
-//$graph_type = get_parameter('graph_type', '');
-//$ttl_param = get_parameter('ttl', 1);
-//$homeurl_param = get_parameter('homeurl', '');
-
 // Turn on output buffering.
 // The entire buffer will be discarded later so that any accidental output
 // does not corrupt images generated by fgraph.
-ob_start ();
+ob_start();
+
+global $config;
+
+if (empty($config['homedir'])) {
+	require_once ('../../include/config.php');
+	global $config;
+}
+
+include_once($config['homedir'] . '/include/functions.php');
+
+$ttl = get_parameter('ttl', 1);
+$graph_type = get_parameter('graph_type', '');
 
 if (!empty($graph_type)) {
-	$homedir = $_GET['homedir'];
-	if ($homedir != null) {
-		$config['homedir'] = $homedir;
-	}
-
-	include_once($homeurl . 'include/functions.php');
-	include_once($homeurl . 'include/functions_html.php');
-	
-	include_once($homeurl . 'include/graphs/functions_gd.php');
-	include_once($homeurl . 'include/graphs/functions_utils.php');
-	include_once($homeurl . 'include/graphs/functions_d3.php');
-	include_once($homeurl . 'include/graphs/functions_flot.php');
+	include_once($config['homedir'] . '/include/functions_html.php');
+	include_once($config['homedir'] . '/include/graphs/functions_gd.php');
+	include_once($config['homedir'] . '/include/graphs/functions_utils.php');
+	include_once($config['homedir'] . '/include/graphs/functions_d3.php');
+	include_once($config['homedir'] . '/include/graphs/functions_flot.php');
 }
 
 // Clean the output buffer and turn off output buffering
@@ -61,13 +42,12 @@ switch($graph_type) {
 	case 'histogram': 
 		$width = get_parameter('width');
 		$height = get_parameter('height');
-		$font = get_parameter('font');
 		$data = json_decode(io_safe_output(get_parameter('data')), true);
 		
 		$max = get_parameter('max');
 		$title = get_parameter('title');
 		$mode = get_parameter ('mode', 1);
-		gd_histogram ($width, $height, $mode, $data, $max, $font, $title);
+		gd_histogram ($width, $height, $mode, $data, $max, $config['fontpath'], $title);
 		break;
 	case 'progressbar':
 		$width = get_parameter('width');
@@ -77,7 +57,6 @@ switch($graph_type) {
 		$out_of_lim_str = io_safe_output(get_parameter('out_of_lim_str', false));
 		$out_of_lim_image = get_parameter('out_of_lim_image', false);
 		
-		$font = get_parameter('font');
 		$title = get_parameter('title');
 		
 		$mode = get_parameter('mode', 1);
@@ -87,7 +66,7 @@ switch($graph_type) {
 		$value_text = get_parameter('value_text', '');
 		$colorRGB = get_parameter('colorRGB', '');
 		
-		gd_progress_bar ($width, $height, $progress, $title, $font,
+		gd_progress_bar ($width, $height, $progress, $title, $config['fontpath'],
 			$out_of_lim_str, $out_of_lim_image, $mode, $fontsize,
 			$value_text, $colorRGB);
 		break;
@@ -99,7 +78,6 @@ switch($graph_type) {
 		$out_of_lim_str = io_safe_output(get_parameter('out_of_lim_str', false));
 		$out_of_lim_image = get_parameter('out_of_lim_image', false);
 		
-		$font = get_parameter('font');
 		$title = get_parameter('title');
 		
 		$mode = get_parameter('mode', 1);
@@ -109,7 +87,7 @@ switch($graph_type) {
 		$value_text = get_parameter('value_text', '');
 		$colorRGB = get_parameter('colorRGB', '');
 		
-		gd_progress_bubble ($width, $height, $progress, $title, $font,
+		gd_progress_bubble ($width, $height, $progress, $title, $config['fontpath'],
 			$out_of_lim_str, $out_of_lim_image, $mode, $fontsize,
 			$value_text, $colorRGB);
 		break;