2008-09-03 Evi Vanoost <vanooste@rcbi.rochester.edu>

* reporting/fgraph.php: Fixed bug where a graph wouldn't return when free search was specified. Also made SQL safer against attacks since fgraph can be accessed by anyone. This should be fixed in later versions so there has to be no SQL query passed * operation/events/events_rss.php: Made RSS feed better. Now you can also pass a filter from events.php. Fixed direction of the links * operation/events/events.php: Added a filter on agent name. Updated for RSS feeds. Added filter on event id * install.php: A little bit of automatic field filling. Corrected some text for more correct English and update to the new URL specification git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@1077 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2008-09-03 15:47:09 +00:00 · 2008-09-03 15:47:09 +00:00 · 97af45b63a
parent 64db350841
commit 97af45b63a
5 changed files with 113 additions and 45 deletions
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@ -1,3 +1,19 @@
+2008-09-03  Evi Vanoost  <vanooste@rcbi.rochester.edu>
+
+	* reporting/fgraph.php: Fixed bug where a graph wouldn't return
+	when free search was specified. Also made SQL safer against
+	attacks since fgraph can be accessed by anyone. This should be
+	fixed in later versions so there has to be no SQL query passed
+
+	* operation/events/events_rss.php: Made RSS feed better. Now you can
+	also pass a filter from events.php. Fixed direction of the links
+
+	* operation/events/events.php: Added a filter on agent name. Updated
+	for RSS feeds. Added filter on event id
+
+	* install.php: A little bit of automatic field filling. Corrected some
+	text for more correct English and update to the new URL specification
+
 2008-09-03  Esteban Sanchez  <estebans@artica.es>

 	* include/functions_html.php: Fixed a typo error in print_textarea
--- a/pandora_console/install.php
+++ b/pandora_console/install.php
@ -317,13 +317,13 @@ function install_step3() {
 					</span>
 				</div>
 				<input class='login' type='text' name='path' style='width: 190px;' 
-				value='/var/www/pandora_console/'>
+				value='".dirname (__FILE__)."'>

-				<div>Full local URL to Pandora FMS Console<br>
+				<div>URL path to Pandora FMS Console<br>
 				<span class='f9b'>For example '/pandora_console'</span>
 				</div>
 				<input class='login' type='text' name='url' style='width: 250px;' 
-				value='/pandora_console'>
+				value='".dirname ($_SERVER['PHP_SELF'])."'>
 				
 				<div align='right'>
 				<input type='image' src='images/arrow_next.png' value='Step #4' id='step4'>
@ -474,7 +474,7 @@ function install_step5() {
 			<h2>Installation complete</h2>
 			<p>You now must delete manually this installer ('<i>install.php</i>') 
 			file for security before trying to access to your Pandora FMS console.
-			<p>Now you need to install Pandora FMS server before trying to monitor anything, 
+			<p>You should also install the Pandora FMS Servers before trying to monitor anything, 
 			please read documentation on how to install it.</p>
 			<p>Don't forget to check <a href='http://pandorafms.com'>http://pandorafms.com</a> 
 			for updates.
--- a/pandora_console/operation/events/events.php
+++ b/pandora_console/operation/events/events.php
@ -164,13 +164,14 @@ if (isset ($_POST["updatebt"])) {

 // Get data

-$offset = get_parameter ( "offset",0);
-$ev_group = get_parameter ("ev_group", 0); // group
+$offset = (int) get_parameter ( "offset",0);
+$ev_group = (int) get_parameter ("ev_group", 0); // group
 $search = get_parameter ("search", ""); // free search
 $event_type = get_parameter ("event_type", ''); // 0 all
-$severity = get_parameter ("severity", -1); // -1 all
-$status = get_parameter ("status", 0); // -1 all, 0 only red, 1 only green
-$id_agent = get_parameter ("id_agent", -1);
+$severity = (int) get_parameter ("severity", -1); // -1 all
+$status = (int) get_parameter ("status", 0); // -1 all, 0 only red, 1 only green
+$id_agent = (int) get_parameter ("id_agent", -1);
+$id_event = (int) get_parameter ("id_event", -1);

 $sql_post = "";
 if ($ev_group > 1)
@ -184,10 +185,13 @@ if ($search != "")
 if ($event_type != "")
 	$sql_post .= " AND event_type = '$event_type'";
 if ($severity != -1)
-	$sql_post .= " AND criticity >= $severity";
+	$sql_post .= " AND criticity >= ".$severity;
 if ($id_agent != -1)
-	$sql_post .= " AND id_agente = $id_agent";
-$url = "index.php?sec=eventos&sec2=operation/events/events&search=$search&event_type=$event_type&severity=$severity&status=$status&ev_group=$ev_group&refr=60&id_agent=$id_agent";
+	$sql_post .= " AND id_agente = ".$id_agent;
+if ($id_event != -1)
+	$sql_post .= " AND id_evento = ".$id_event;
+
+$url = "index.php?sec=eventos&sec2=operation/events/events&search=$search&event_type=$event_type&severity=$severity&status=$status&ev_group=$ev_group&refr=60&id_agent=$id_agent&id_event=$id_event";

 echo "<h2>".__('Events')." &gt; ".__('Main event view'). "&nbsp";

@ -250,7 +254,24 @@ echo "</td></tr><tr>";
 // Free search
 echo "<td>".__('Free search')."</td><td>";
 print_input_text ('search', $search, '', 15);
-echo "</td><td colspan=2>";
+
+//Agent search
+echo "</td><td>".__('Agent search')."</td><td>";
+$sql = "SELECT DISTINCT(id_agente) FROM tevento WHERE 1=1 ".$sql_post;
+$result = get_db_all_rows_sql ($sql);
+if ($result === false)
+	$result = array();
+$agents = array(-1 => "All");
+
+foreach ($result as $id_row) {
+	$agents[$id_row[0]] = dame_nombre_agente ($id_row[0]);
+}
+
+print_select ($agents, 'id_agent', $id_agent, 'javascript:this.form.submit();', '', '');
+echo "</td></tr>";
+
+//The buttons
+echo '<tr><td colspan="2"><!-- Empty cell --></td><td colspan="2">';
 print_submit_button (__('Update'), '', false, $attributes = 'class="sub upd"');

 // CSV
@ -260,7 +281,7 @@ echo '&nbsp;&nbsp;&nbsp;
 // Marquee
 echo "&nbsp;<a target='_top' href='operation/events/events_marquee.php'><img src='images/heart.png' title='".__('Marquee display')."'></a>";
 // RSS
-echo "&nbsp;<a target='_top' href='operation/events/events_rss.php'><img src='images/transmit.png' title='".__('RSS Events')."'></a>";
+echo '&nbsp;<a target="_top" href="operation/events/events_rss.php?ev_group='.$ev_group.'&event_type='.$event_type.'&search='.$search.'&severity='.$severity.'&status='.$status.'&id_agent='.$id_agent.'"><img src="images/transmit.png" title="'.__('RSS Events').'"></a>';


 echo "</td></tr></table>";
--- a/pandora_console/operation/events/events_rss.php
+++ b/pandora_console/operation/events/events_rss.php
@ -16,54 +16,82 @@
 // along with this program; if not, write to the Free Software
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

-error_reporting(E_ALL);
-
 require "../../include/config.php";
 require "../../include/functions.php";
 require_once "../../include/functions_db.php";

-$constraints = "";
+$ev_group = get_parameter ("ev_group", 0); // group
+$search = get_parameter ("search", ""); // free search
+$event_type = get_parameter ("event_type", ''); // 0 all
+$severity = (int) get_parameter ("severity", -1); // -1 all
+$status = (int) get_parameter ("status", 0); // -1 all, 0 only red, 1 only green
+$id_agent = (int) get_parameter ("id_agent", -1);
+$id_event = (int) get_parameter ("id_event", -1); //This will allow to select only 1 event (eg. RSS)

+$sql_post = "";
+if ($ev_group > 1)
+	$sql_post .= " AND `tevento`.`id_grupo` = $ev_group";
+if ($status == 1)
+	$sql_post .= " AND `tevento`.`estado` = 1";
+if ($status == 0)
+	$sql_post .= " AND `tevento`.`estado` = 0";
+if ($search != "")
+        $sql_post .= " AND `tevento`.`evento` LIKE '%$search%'";
+if ($event_type != "")
+        $sql_post .= " AND `tevento`.`event_type` = '$event_type'";
+if ($severity != -1)
+        $sql_post .= " AND `tevento`.`criticity` >= ".$severity;
+if ($id_agent != -1)
+	$sql_post .= " AND `tevento`.`id_agente` = ".$id_agent;
+if ($id_event != -1)
+	$sql_post .= " AND id_evento = ".$id_event;
+													
+$sql="SELECT `tevento`.`id_evento` AS event_id,
+	`tagente`.`nombre` AS agent_name,
+	`tevento`.`id_usuario` AS validated_by,
+	`tevento`.`estado` AS validated,
+	`tevento`.`evento` AS event_descr,
+	`tevento`.`utimestamp` AS unix_timestamp 
+	FROM tevento, tagente
+	WHERE  `tevento`.`id_agente` = `tagente`.`id_agente` ".$sql_post."
+	ORDER BY utimestamp DESC LIMIT 0 , 30";

-$sql="SELECT  `tevento`.`id_evento` AS event_id,  `tagente`.`nombre` AS agent_name,  `tevento`.`id_usuario` AS validated_by ,  `tevento`.`estado` AS validated,  `tevento`.`evento` AS event_descr ,  `tevento`.`utimestamp` AS unix_timestamp, `tgrupo`.`nombre` AS group_name, `tgrupo`.`icon` AS group_icon 
-FROM tevento, tagente, tgrupo
-WHERE  `tevento`.`id_agente` =  `tagente`.`id_agente` AND `tevento`.`id_grupo` = `tgrupo`.`id_grupo` $constraints
-ORDER BY utimestamp DESC 
-LIMIT 0 , 30";
-
-$result=mysql_query($sql);
+$result= get_db_all_rows_sql ($sql);

 //$url = "https://".$_SERVER['HTTP_HOST']."/pandora_console";

 $url = 'http://'.$_SERVER['HTTP_HOST'].$config["homeurl"];
+$selfurl = 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'];
+$rss_feed = '<?xml version="1.0" encoding="utf-8" ?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">';
+$rss_feed .= '<channel><title>Pandora RSS Feed</title><description>Latest events on Pandora</description>';
+$rss_feed .= '<lastBuildDate>'.date(DATE_RFC822, $result[0]['unix_timestamp']).'</lastBuildDate>';
+$rss_feed .= '<link>'.$url.'</link>';
+$rss_feed .= '<atom:link href="'.htmlentities ($selfurl).'" rel="self" type="application/rss+xml" />';

-$rss_feed = '<?xml version="1.0" ?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel>
-<title>Pandora RSS Feed</title>
-<description>Latest events on Pandora</description>
-<link>' . $url . '</link>
-<atom:link href="' . $url . '/operation/events/events_rss.php" rel="self" type="application/rss+xml" />';
+if ($result === false) {
+	$result = array();
+	$rss_feed .= '<item><guid>'.$url.'/index.php?sec=eventos&sec2=operation/events/events</guid><title>No results</title>';
+	$rss_feed .= '<description>There are no results. Click on the link to see all Pending events</description>';
+	$rss_feed .= '<link>'.$url.'/index.php?sec=eventos&sec2=operation/events/events</link></item>';
+}

-while($row=mysql_fetch_array($result,MYSQL_ASSOC)) {
+foreach ($result as $row) {
 //This is mandatory
 	$rss_feed .= '<item><guid>';
-		$rss_feed .= $url . "/operation/events/view_event?id=" . $row['event_id'];
+	$rss_feed .= htmlentities ($url . "/index.php?sec=eventos&sec2=operation/events/events&id_event=" . $row['event_id']);
 	$rss_feed .= '</guid><title>';
-		$rss_feed .= htmlentities($row['agent_name']);
+	$rss_feed .= htmlentities ($row['agent_name']);
 	$rss_feed .= '</title><description>';
-		$rss_feed .= htmlentities($row['event_descr']);
-		if($row['validated'] == 1) {
-			$rss_feed .= '<br /><br />Validated by ' . $row['validated_by'];
-		}
+	$rss_feed .= htmlentities ($row['event_descr']);
+	if($row['validated'] == 1) {
+		$rss_feed .= '<br /><br />Validated by ' . $row['validated_by'];
+	}
 	$rss_feed .= '</description><link>';
-		$rss_feed .= $url . "/operation/events/view_event?id=" . $row["event_id"];
+	$rss_feed .= htmlentities ($url . "/index.php?sec=eventos&sec2=operation/events/events&id_event=" . $row["event_id"]);
 	$rss_feed .= '</link>';
+
 //The rest is optional
 	$rss_feed .= '<pubDate>' . date(DATE_RFC822, $row['unix_timestamp']) . '</pubDate>';
- 	$rss_feed .= '<image>';
-		$rss_feed .= '<link>' . $url .  '</link>';
-		$rss_feed .= '<title>' . $row['group_name'] . '</title>';
-		$rss_feed .= '<url>' . $url . '/images/groups_small/' . $row['group_icon'] . '.png</url>';
-	$rss_feed .= '</image>';	
 	
 //This is mandatory again
 	$rss_feed .= '</item>';
--- a/pandora_console/reporting/fgraph.php
+++ b/pandora_console/reporting/fgraph.php
@ -1325,7 +1325,7 @@ function graph_event_module ($width = 300, $height = 200, $id_agent) {
        $data = array();
        $legend = array();

-        $sql = "SELECT DISTINCT(id_agentmodule) AS id_agentmodule, id_grupo, COUNT(id_agentmodule) AS count FROM tevento WHERE id_agente = ".$id_agent." GROUP BY id_agentmodule";
+        $sql = sprintf ("SELECT DISTINCT(id_agentmodule) AS id_agentmodule, id_grupo, COUNT(id_agentmodule) AS count FROM tevento WHERE id_agente = %d GROUP BY id_agentmodule",$id_agent);
        $result = get_db_all_rows_sql ($sql);
        if ($result === false)
                $result = array();
@ -1359,10 +1359,13 @@ function graph_event_module ($width = 300, $height = 200, $id_agent) {
 function grafico_eventos_grupo ($width = 300, $height = 200, $url = "") {
 	global $config;
 	
-	$url = rawurldecode ($url); //It was urlencoded, so we urldecode it
+	$url = html_entity_decode (rawurldecode ($url),ENT_QUOTES); //It was urlencoded, so we urldecode it
 	$data = array();
 	$legend = array();
-	
+
+	$badstrings = array (";", "SELECT ", "DELETE ", "UPDATE ", "INSERT ");	
+	$url = str_ireplace ($badstrings,"",$url); //remove bad strings from the query so queries like ; DELETE FROM  don't pass
+		
 	//This will give the distinct id_agente, give the id_grupo that goes
 	//with it and then the number of times it occured. GROUP BY statement
 	//is required if both DISTINCT() and COUNT() are in the statement