From 97af45b63acb56224daef5b9664ec6de89fe59a5 Mon Sep 17 00:00:00 2001
From: guruevi <noreply@pandorafms.org>
Date: Wed, 3 Sep 2008 15:47:09 +0000
Subject: [PATCH] 2008-09-03  Evi Vanoost  <vanooste@rcbi.rochester.edu>

        * reporting/fgraph.php: Fixed bug where a graph wouldn't return
        when free search was specified. Also made SQL safer against
        attacks since fgraph can be accessed by anyone. This should be
        fixed in later versions so there has to be no SQL query passed

        * operation/events/events_rss.php: Made RSS feed better. Now you can
        also pass a filter from events.php. Fixed direction of the links

        * operation/events/events.php: Added a filter on agent name. Updated
        for RSS feeds. Added filter on event id

        * install.php: A little bit of automatic field filling. Corrected some
        text for more correct English and update to the new URL specification


git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@1077 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
---
 pandora_console/ChangeLog                     | 16 ++++
 pandora_console/install.php                   |  8 +-
 pandora_console/operation/events/events.php   | 41 ++++++---
 .../operation/events/events_rss.php           | 84 ++++++++++++-------
 pandora_console/reporting/fgraph.php          |  9 +-
 5 files changed, 113 insertions(+), 45 deletions(-)

diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog
index c0bf0366ab..209fde642e 100644
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@@ -1,3 +1,19 @@
+2008-09-03  Evi Vanoost  <vanooste@rcbi.rochester.edu>
+
+	* reporting/fgraph.php: Fixed bug where a graph wouldn't return
+	when free search was specified. Also made SQL safer against
+	attacks since fgraph can be accessed by anyone. This should be
+	fixed in later versions so there has to be no SQL query passed
+
+	* operation/events/events_rss.php: Made RSS feed better. Now you can
+	also pass a filter from events.php. Fixed direction of the links
+
+	* operation/events/events.php: Added a filter on agent name. Updated
+	for RSS feeds. Added filter on event id
+
+	* install.php: A little bit of automatic field filling. Corrected some
+	text for more correct English and update to the new URL specification
+
 2008-09-03  Esteban Sanchez  <estebans@artica.es>
 
 	* include/functions_html.php: Fixed a typo error in print_textarea
diff --git a/pandora_console/install.php b/pandora_console/install.php
index ff524eac2f..200d3663d2 100644
--- a/pandora_console/install.php
+++ b/pandora_console/install.php
@@ -317,13 +317,13 @@ function install_step3() {
 					</span>
 				</div>
 				<input class='login' type='text' name='path' style='width: 190px;' 
-				value='/var/www/pandora_console/'>
+				value='".dirname (__FILE__)."'>
 
-				<div>Full local URL to Pandora FMS Console<br>
+				<div>URL path to Pandora FMS Console<br>
 				<span class='f9b'>For example '/pandora_console'</span>
 				</div>
 				<input class='login' type='text' name='url' style='width: 250px;' 
-				value='/pandora_console'>
+				value='".dirname ($_SERVER['PHP_SELF'])."'>
 				
 				<div align='right'>
 				<input type='image' src='images/arrow_next.png' value='Step #4' id='step4'>
@@ -474,7 +474,7 @@ function install_step5() {
 			<h2>Installation complete</h2>
 			<p>You now must delete manually this installer ('<i>install.php</i>') 
 			file for security before trying to access to your Pandora FMS console.
-			<p>Now you need to install Pandora FMS server before trying to monitor anything, 
+			<p>You should also install the Pandora FMS Servers before trying to monitor anything, 
 			please read documentation on how to install it.</p>
 			<p>Don't forget to check <a href='http://pandorafms.com'>http://pandorafms.com</a> 
 			for updates.
diff --git a/pandora_console/operation/events/events.php b/pandora_console/operation/events/events.php
index 30105418e3..13358f88ed 100644
--- a/pandora_console/operation/events/events.php
+++ b/pandora_console/operation/events/events.php
@@ -164,13 +164,14 @@ if (isset ($_POST["updatebt"])) {
 
 // Get data
 
-$offset = get_parameter ( "offset",0);
-$ev_group = get_parameter ("ev_group", 0); // group
+$offset = (int) get_parameter ( "offset",0);
+$ev_group = (int) get_parameter ("ev_group", 0); // group
 $search = get_parameter ("search", ""); // free search
 $event_type = get_parameter ("event_type", ''); // 0 all
-$severity = get_parameter ("severity", -1); // -1 all
-$status = get_parameter ("status", 0); // -1 all, 0 only red, 1 only green
-$id_agent = get_parameter ("id_agent", -1);
+$severity = (int) get_parameter ("severity", -1); // -1 all
+$status = (int) get_parameter ("status", 0); // -1 all, 0 only red, 1 only green
+$id_agent = (int) get_parameter ("id_agent", -1);
+$id_event = (int) get_parameter ("id_event", -1);
 
 $sql_post = "";
 if ($ev_group > 1)
@@ -184,10 +185,13 @@ if ($search != "")
 if ($event_type != "")
 	$sql_post .= " AND event_type = '$event_type'";
 if ($severity != -1)
-	$sql_post .= " AND criticity >= $severity";
+	$sql_post .= " AND criticity >= ".$severity;
 if ($id_agent != -1)
-	$sql_post .= " AND id_agente = $id_agent";
-$url = "index.php?sec=eventos&sec2=operation/events/events&search=$search&event_type=$event_type&severity=$severity&status=$status&ev_group=$ev_group&refr=60&id_agent=$id_agent";
+	$sql_post .= " AND id_agente = ".$id_agent;
+if ($id_event != -1)
+	$sql_post .= " AND id_evento = ".$id_event;
+
+$url = "index.php?sec=eventos&sec2=operation/events/events&search=$search&event_type=$event_type&severity=$severity&status=$status&ev_group=$ev_group&refr=60&id_agent=$id_agent&id_event=$id_event";
 
 echo "<h2>".__('Events')." &gt; ".__('Main event view'). "&nbsp";
 
@@ -250,7 +254,24 @@ echo "</td></tr><tr>";
 // Free search
 echo "<td>".__('Free search')."</td><td>";
 print_input_text ('search', $search, '', 15);
-echo "</td><td colspan=2>";
+
+//Agent search
+echo "</td><td>".__('Agent search')."</td><td>";
+$sql = "SELECT DISTINCT(id_agente) FROM tevento WHERE 1=1 ".$sql_post;
+$result = get_db_all_rows_sql ($sql);
+if ($result === false)
+	$result = array();
+$agents = array(-1 => "All");
+
+foreach ($result as $id_row) {
+	$agents[$id_row[0]] = dame_nombre_agente ($id_row[0]);
+}
+
+print_select ($agents, 'id_agent', $id_agent, 'javascript:this.form.submit();', '', '');
+echo "</td></tr>";
+
+//The buttons
+echo '<tr><td colspan="2"><!-- Empty cell --></td><td colspan="2">';
 print_submit_button (__('Update'), '', false, $attributes = 'class="sub upd"');
 
 // CSV
@@ -260,7 +281,7 @@ echo '&nbsp;&nbsp;&nbsp;
 // Marquee
 echo "&nbsp;<a target='_top' href='operation/events/events_marquee.php'><img src='images/heart.png' title='".__('Marquee display')."'></a>";
 // RSS
-echo "&nbsp;<a target='_top' href='operation/events/events_rss.php'><img src='images/transmit.png' title='".__('RSS Events')."'></a>";
+echo '&nbsp;<a target="_top" href="operation/events/events_rss.php?ev_group='.$ev_group.'&event_type='.$event_type.'&search='.$search.'&severity='.$severity.'&status='.$status.'&id_agent='.$id_agent.'"><img src="images/transmit.png" title="'.__('RSS Events').'"></a>';
 
 
 echo "</td></tr></table>";
diff --git a/pandora_console/operation/events/events_rss.php b/pandora_console/operation/events/events_rss.php
index ceca2eb1be..b4acd9dd89 100644
--- a/pandora_console/operation/events/events_rss.php
+++ b/pandora_console/operation/events/events_rss.php
@@ -16,54 +16,82 @@
 // along with this program; if not, write to the Free Software
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
-error_reporting(E_ALL);
-
 require "../../include/config.php";
 require "../../include/functions.php";
 require_once "../../include/functions_db.php";
 
-$constraints = "";
+$ev_group = get_parameter ("ev_group", 0); // group
+$search = get_parameter ("search", ""); // free search
+$event_type = get_parameter ("event_type", ''); // 0 all
+$severity = (int) get_parameter ("severity", -1); // -1 all
+$status = (int) get_parameter ("status", 0); // -1 all, 0 only red, 1 only green
+$id_agent = (int) get_parameter ("id_agent", -1);
+$id_event = (int) get_parameter ("id_event", -1); //This will allow to select only 1 event (eg. RSS)
 
+$sql_post = "";
+if ($ev_group > 1)
+	$sql_post .= " AND `tevento`.`id_grupo` = $ev_group";
+if ($status == 1)
+	$sql_post .= " AND `tevento`.`estado` = 1";
+if ($status == 0)
+	$sql_post .= " AND `tevento`.`estado` = 0";
+if ($search != "")
+        $sql_post .= " AND `tevento`.`evento` LIKE '%$search%'";
+if ($event_type != "")
+        $sql_post .= " AND `tevento`.`event_type` = '$event_type'";
+if ($severity != -1)
+        $sql_post .= " AND `tevento`.`criticity` >= ".$severity;
+if ($id_agent != -1)
+	$sql_post .= " AND `tevento`.`id_agente` = ".$id_agent;
+if ($id_event != -1)
+	$sql_post .= " AND id_evento = ".$id_event;
+													
+$sql="SELECT `tevento`.`id_evento` AS event_id,
+	`tagente`.`nombre` AS agent_name,
+	`tevento`.`id_usuario` AS validated_by,
+	`tevento`.`estado` AS validated,
+	`tevento`.`evento` AS event_descr,
+	`tevento`.`utimestamp` AS unix_timestamp 
+	FROM tevento, tagente
+	WHERE  `tevento`.`id_agente` = `tagente`.`id_agente` ".$sql_post."
+	ORDER BY utimestamp DESC LIMIT 0 , 30";
 
-$sql="SELECT  `tevento`.`id_evento` AS event_id,  `tagente`.`nombre` AS agent_name,  `tevento`.`id_usuario` AS validated_by ,  `tevento`.`estado` AS validated,  `tevento`.`evento` AS event_descr ,  `tevento`.`utimestamp` AS unix_timestamp, `tgrupo`.`nombre` AS group_name, `tgrupo`.`icon` AS group_icon 
-FROM tevento, tagente, tgrupo
-WHERE  `tevento`.`id_agente` =  `tagente`.`id_agente` AND `tevento`.`id_grupo` = `tgrupo`.`id_grupo` $constraints
-ORDER BY utimestamp DESC 
-LIMIT 0 , 30";
-
-$result=mysql_query($sql);
+$result= get_db_all_rows_sql ($sql);
 
 //$url = "https://".$_SERVER['HTTP_HOST']."/pandora_console";
 
 $url = 'http://'.$_SERVER['HTTP_HOST'].$config["homeurl"];
+$selfurl = 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'];
+$rss_feed = '<?xml version="1.0" encoding="utf-8" ?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">';
+$rss_feed .= '<channel><title>Pandora RSS Feed</title><description>Latest events on Pandora</description>';
+$rss_feed .= '<lastBuildDate>'.date(DATE_RFC822, $result[0]['unix_timestamp']).'</lastBuildDate>';
+$rss_feed .= '<link>'.$url.'</link>';
+$rss_feed .= '<atom:link href="'.htmlentities ($selfurl).'" rel="self" type="application/rss+xml" />';
 
-$rss_feed = '<?xml version="1.0" ?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel>
-<title>Pandora RSS Feed</title>
-<description>Latest events on Pandora</description>
-<link>' . $url . '</link>
-<atom:link href="' . $url . '/operation/events/events_rss.php" rel="self" type="application/rss+xml" />';
+if ($result === false) {
+	$result = array();
+	$rss_feed .= '<item><guid>'.$url.'/index.php?sec=eventos&sec2=operation/events/events</guid><title>No results</title>';
+	$rss_feed .= '<description>There are no results. Click on the link to see all Pending events</description>';
+	$rss_feed .= '<link>'.$url.'/index.php?sec=eventos&sec2=operation/events/events</link></item>';
+}
 
-while($row=mysql_fetch_array($result,MYSQL_ASSOC)) {
+foreach ($result as $row) {
 //This is mandatory
 	$rss_feed .= '<item><guid>';
-		$rss_feed .= $url . "/operation/events/view_event?id=" . $row['event_id'];
+	$rss_feed .= htmlentities ($url . "/index.php?sec=eventos&sec2=operation/events/events&id_event=" . $row['event_id']);
 	$rss_feed .= '</guid><title>';
-		$rss_feed .= htmlentities($row['agent_name']);
+	$rss_feed .= htmlentities ($row['agent_name']);
 	$rss_feed .= '</title><description>';
-		$rss_feed .= htmlentities($row['event_descr']);
-		if($row['validated'] == 1) {
-			$rss_feed .= '<br /><br />Validated by ' . $row['validated_by'];
-		}
+	$rss_feed .= htmlentities ($row['event_descr']);
+	if($row['validated'] == 1) {
+		$rss_feed .= '<br /><br />Validated by ' . $row['validated_by'];
+	}
 	$rss_feed .= '</description><link>';
-		$rss_feed .= $url . "/operation/events/view_event?id=" . $row["event_id"];
+	$rss_feed .= htmlentities ($url . "/index.php?sec=eventos&sec2=operation/events/events&id_event=" . $row["event_id"]);
 	$rss_feed .= '</link>';
+
 //The rest is optional
 	$rss_feed .= '<pubDate>' . date(DATE_RFC822, $row['unix_timestamp']) . '</pubDate>';
- 	$rss_feed .= '<image>';
-		$rss_feed .= '<link>' . $url .  '</link>';
-		$rss_feed .= '<title>' . $row['group_name'] . '</title>';
-		$rss_feed .= '<url>' . $url . '/images/groups_small/' . $row['group_icon'] . '.png</url>';
-	$rss_feed .= '</image>';	
 	
 //This is mandatory again
 	$rss_feed .= '</item>';
diff --git a/pandora_console/reporting/fgraph.php b/pandora_console/reporting/fgraph.php
index 9bd68c3cf4..3b8d3b5caf 100644
--- a/pandora_console/reporting/fgraph.php
+++ b/pandora_console/reporting/fgraph.php
@@ -1325,7 +1325,7 @@ function graph_event_module ($width = 300, $height = 200, $id_agent) {
         $data = array();
         $legend = array();
 
-        $sql = "SELECT DISTINCT(id_agentmodule) AS id_agentmodule, id_grupo, COUNT(id_agentmodule) AS count FROM tevento WHERE id_agente = ".$id_agent." GROUP BY id_agentmodule";
+        $sql = sprintf ("SELECT DISTINCT(id_agentmodule) AS id_agentmodule, id_grupo, COUNT(id_agentmodule) AS count FROM tevento WHERE id_agente = %d GROUP BY id_agentmodule",$id_agent);
         $result = get_db_all_rows_sql ($sql);
         if ($result === false)
                 $result = array();
@@ -1359,10 +1359,13 @@ function graph_event_module ($width = 300, $height = 200, $id_agent) {
 function grafico_eventos_grupo ($width = 300, $height = 200, $url = "") {
 	global $config;
 	
-	$url = rawurldecode ($url); //It was urlencoded, so we urldecode it
+	$url = html_entity_decode (rawurldecode ($url),ENT_QUOTES); //It was urlencoded, so we urldecode it
 	$data = array();
 	$legend = array();
-	
+
+	$badstrings = array (";", "SELECT ", "DELETE ", "UPDATE ", "INSERT ");	
+	$url = str_ireplace ($badstrings,"",$url); //remove bad strings from the query so queries like ; DELETE FROM  don't pass
+		
 	//This will give the distinct id_agente, give the id_grupo that goes
 	//with it and then the number of times it occured. GROUP BY statement
 	//is required if both DISTINCT() and COUNT() are in the statement