From 9a8c42f4acb37d3b3ed25989ad5ca2e12e9f1e4f Mon Sep 17 00:00:00 2001
From: Luis Calvo <luis.calvo@artica.es>
Date: Fri, 26 Jun 2020 15:36:51 +0200
Subject: [PATCH] Fixed xss event comments vulnerabiluty and some acls on event
 ajax

---
 pandora_console/include/ajax/events.php       | 25 ++++++++++++
 pandora_console/include/functions_events.php  |  4 +-
 .../operation/events/events.build_table.php   | 38 +++++++++---------
 pandora_console/operation/events/events.php   | 40 +++++++++----------
 4 files changed, 67 insertions(+), 40 deletions(-)

diff --git a/pandora_console/include/ajax/events.php b/pandora_console/include/ajax/events.php
index 4b5bffa2b4..ca17c8ab9f 100644
--- a/pandora_console/include/ajax/events.php
+++ b/pandora_console/include/ajax/events.php
@@ -871,6 +871,11 @@ if ($get_response_description) {
 }
 
 if ($get_response_params) {
+    if (! check_acl($config['id_user'], 0, 'EW')) {
+        echo 'unauthorized';
+        return;
+    }
+
     $response_id = get_parameter('response_id');
 
     $params = db_get_value('params', 'tevent_response', 'id', $response_id);
@@ -885,6 +890,11 @@ if ($get_response_params) {
 }
 
 if ($get_response_target) {
+    if (! check_acl($config['id_user'], 0, 'EW')) {
+        echo 'unauthorized';
+        return;
+    }
+
     $response_id = (int) get_parameter('response_id');
     $event_id = (int) get_parameter('event_id');
     $server_id = (int) get_parameter('server_id');
@@ -901,6 +911,11 @@ if ($get_response_target) {
 }
 
 if ($get_response) {
+    if (! check_acl($config['id_user'], 0, 'EW')) {
+        echo 'unauthorized';
+        return;
+    }
+
     $response_id = get_parameter('response_id');
 
     $event_response = db_get_row('tevent_response', 'id', $response_id);
@@ -917,6 +932,11 @@ if ($get_response) {
 if ($perform_event_response) {
     global $config;
 
+    if (! check_acl($config['id_user'], 0, 'EW')) {
+        echo 'unauthorized';
+        return;
+    }
+
     $response_id = get_parameter('response_id');
     $event_id = (int) get_parameter('event_id');
     $server_id = (int) get_parameter('server_id', 0);
@@ -1011,6 +1031,11 @@ if ($perform_event_response) {
 if ($dialogue_event_response) {
     global $config;
 
+    if (! check_acl($config['id_user'], 0, 'EW')) {
+        echo 'unauthorized';
+        return;
+    }
+
     $event_id = get_parameter('event_id');
     $response_id = get_parameter('response_id');
     $command = get_parameter('target');
diff --git a/pandora_console/include/functions_events.php b/pandora_console/include/functions_events.php
index a5b442d69c..bf5a0c1efb 100644
--- a/pandora_console/include/functions_events.php
+++ b/pandora_console/include/functions_events.php
@@ -2118,7 +2118,7 @@ function events_comment(
 
     switch ($comments_format) {
         case 'new':
-            $comment_for_json['comment'] = $comment;
+            $comment_for_json['comment'] = io_safe_input($comment);
             $comment_for_json['action'] = $action;
             $comment_for_json['id_user'] = $config['id_user'];
             $comment_for_json['utimestamp'] = time();
@@ -2141,7 +2141,7 @@ function events_comment(
             $comment = str_replace(["\r\n", "\r", "\n"], '<br>', $comment);
 
             if ($comment != '') {
-                $commentbox = '<div style="border:1px dotted #CCC; min-height: 10px;">'.$comment.'</div>';
+                $commentbox = '<div style="border:1px dotted #CCC; min-height: 10px;">'.io_safe_input($comment).'</div>';
             } else {
                 $commentbox = '';
             }
diff --git a/pandora_console/operation/events/events.build_table.php b/pandora_console/operation/events/events.build_table.php
index 943068c0ec..53eb840348 100644
--- a/pandora_console/operation/events/events.build_table.php
+++ b/pandora_console/operation/events/events.build_table.php
@@ -982,24 +982,26 @@ if ($group_rep == 2) {
                 $array_events_actions[$val['id']] = $val['name'];
             }
 
-            if ($config['event_replication'] != 1) {
-                echo '<div style="width:100%;text-align:right;">';
-                echo '<form method="post" id="form_event_response">';
-                html_print_select($array_events_actions, 'response_id', '', '', '', 0, false, false, false);
-                echo '&nbsp&nbsp';
-                html_print_button(__('Execute event response'), 'submit_event_response', false, 'execute_event_response(true);', 'class="sub next"');
-                echo "<span id='response_loading_dialog' style='display:none'>".html_print_image('images/spinner.gif', true).'</span>';
-                echo '</form>';
-                echo '<span id="max_custom_event_resp_msg" style="display:none; color:#e63c52; line-height: 200%;">';
-                echo __(
-                    'A maximum of %s event custom responses can be selected',
-                    $config['max_execution_event_response']
-                ).'</span>';
-                echo '<span id="max_custom_selected" style="display:none; color:#e63c52; line-height: 200%;">';
-                echo __(
-                    'Please, select an event'
-                ).'</span>';
-                echo '</div>';
+            if (check_acl($config['id_user'], 0, 'EW')) {
+                if ($config['event_replication'] != 1) {
+                    echo '<div style="width:100%;text-align:right;">';
+                    echo '<form method="post" id="form_event_response">';
+                    html_print_select($array_events_actions, 'response_id', '', '', '', 0, false, false, false);
+                    echo '&nbsp&nbsp';
+                    html_print_button(__('Execute event response'), 'submit_event_response', false, 'execute_event_response(true);', 'class="sub next"');
+                    echo "<span id='response_loading_dialog' style='display:none'>".html_print_image('images/spinner.gif', true).'</span>';
+                    echo '</form>';
+                    echo '<span id="max_custom_event_resp_msg" style="display:none; color:#e63c52; line-height: 200%;">';
+                    echo __(
+                        'A maximum of %s event custom responses can be selected',
+                        $config['max_execution_event_response']
+                    ).'</span>';
+                    echo '<span id="max_custom_selected" style="display:none; color:#e63c52; line-height: 200%;">';
+                    echo __(
+                        'Please, select an event'
+                    ).'</span>';
+                    echo '</div>';
+                }
             }
         }
 
diff --git a/pandora_console/operation/events/events.php b/pandora_console/operation/events/events.php
index ba029bfb17..974dd9c247 100644
--- a/pandora_console/operation/events/events.php
+++ b/pandora_console/operation/events/events.php
@@ -1530,26 +1530,26 @@ foreach ($event_responses as $val) {
     $array_events_actions[$val['id']] = $val['name'];
 }
 
-
-echo '<div class="multi-response-buttons">';
-echo '<form method="post" id="form_event_response">';
-echo '<input type="hidden" id="max_execution_event_response" value="'.$config['max_execution_event_response'].'" />';
-html_print_select($array_events_actions, 'response_id', '', '', '', 0, false, false, false);
-echo '&nbsp&nbsp';
-html_print_button(__('Execute event response'), 'submit_event_response', false, 'execute_event_response(true);', 'class="sub next"');
-echo "<span id='response_loading_dialog' style='display:none'>".html_print_image('images/spinner.gif', true).'</span>';
-echo '</form>';
-echo '<span id="max_custom_event_resp_msg" style="display:none; color:#e63c52; line-height: 200%;">';
-echo __(
-    'A maximum of %s event custom responses can be selected',
-    $config['max_execution_event_response']
-).'</span>';
-echo '<span id="max_custom_selected" style="display:none; color:#e63c52; line-height: 200%;">';
-echo __(
-    'Please, select an event'
-).'</span>';
-echo '</div>';
-
+if (check_acl($config['id_user'], 0, 'EW')) {
+    echo '<div class="multi-response-buttons">';
+    echo '<form method="post" id="form_event_response">';
+    echo '<input type="hidden" id="max_execution_event_response" value="'.$config['max_execution_event_response'].'" />';
+    html_print_select($array_events_actions, 'response_id', '', '', '', 0, false, false, false);
+    echo '&nbsp&nbsp';
+    html_print_button(__('Execute event response'), 'submit_event_response', false, 'execute_event_response(true);', 'class="sub next"');
+    echo "<span id='response_loading_dialog' style='display:none'>".html_print_image('images/spinner.gif', true).'</span>';
+    echo '</form>';
+    echo '<span id="max_custom_event_resp_msg" style="display:none; color:#e63c52; line-height: 200%;">';
+    echo __(
+        'A maximum of %s event custom responses can be selected',
+        $config['max_execution_event_response']
+    ).'</span>';
+    echo '<span id="max_custom_selected" style="display:none; color:#e63c52; line-height: 200%;">';
+    echo __(
+        'Please, select an event'
+    ).'</span>';
+    echo '</div>';
+}
 
 // Close viewer.
 enterprise_hook('close_meta_frame');