From e846299ce7f7c6b6fd54a8c6bd831d99d2ecc260 Mon Sep 17 00:00:00 2001
From: zarzuelo <zarzuelo@gmail.com>
Date: Wed, 3 Nov 2010 12:18:33 +0000
Subject: [PATCH] 2010-11-03  Sergio Martin <sergio.martin@artica.es>

	*  include/functions_modules.php
	include/functions_reporting.php
	include/functions.php
	include/functions_db.php
	operation/agentes/ver_agente.php
	godmode/massive/massive_delete_modules.php: Fixed
	several html entities codifications with safe_input/safe_output



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3502 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
---
 pandora_console/ChangeLog                     | 10 ++++++
 .../massive/massive_delete_modules.php        |  9 +++--
 pandora_console/include/functions.php         |  3 +-
 pandora_console/include/functions_db.php      |  4 +--
 pandora_console/include/functions_modules.php |  5 ++-
 .../include/functions_reporting.php           | 36 +++++++++++--------
 .../operation/agentes/ver_agente.php          |  4 +--
 7 files changed, 45 insertions(+), 26 deletions(-)

diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog
index bbbe532bd7..681fcac5c7 100644
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@@ -1,3 +1,13 @@
+2010-11-03  Sergio Martin <sergio.martin@artica.es>
+
+	*  include/functions_modules.php
+	include/functions_reporting.php
+	include/functions.php
+	include/functions_db.php
+	operation/agentes/ver_agente.php
+	godmode/massive/massive_delete_modules.php: Fixed 
+	several html entities codifications with safe_input/safe_output
+
 2010-11-02  Sergio Martin <sergio.martin@artica.es>
 
 	* pandoradb_data.sql: Changed several spaces and parentheses
diff --git a/pandora_console/godmode/massive/massive_delete_modules.php b/pandora_console/godmode/massive/massive_delete_modules.php
index 513999f25d..88207155ca 100644
--- a/pandora_console/godmode/massive/massive_delete_modules.php
+++ b/pandora_console/godmode/massive/massive_delete_modules.php
@@ -83,14 +83,13 @@ $delete = (bool) get_parameter_post ('delete');
 
 if ($delete) {
 	$result = process_manage_delete ($module_name, $id_agents);
-	
 	if ($result) {
-		pandora_audit("Masive management", "Delete module ", false, false,
-			'Agent: ' . json_encode($id_agents) . ' Module: ' . $module_names);
+		pandora_audit("Massive management", "Delete module ", false, false,
+			'Agent: ' . json_encode($id_agents) . ' Module: ' . $module_name);
 	}
 	else {
-		pandora_audit("Masive management", "Fail try to delete module", false, false,
-			'Agent: ' . json_encode($id_agents) . ' Module: ' . $module_names);
+		pandora_audit("Massive management", "Fail try to delete module", false, false,
+			'Agent: ' . json_encode($id_agents) . ' Module: ' . $module_name);
 	}
 }
 
diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php
index 0127862c85..8d8e763961 100644
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@@ -1164,10 +1164,9 @@ function string2image($string, $width, $height, $fontsize = 3,
 **/
 
 function check_sql ($sql){
-
         // We remove "*" to avoid things like SELECT * FROM tusuario
 
-        if (preg_match("/\*|DELETE|DROP|ALTER|MODIFY|UNION|password|pass|INSERT|UPDATE/", $sql)){
+        if (preg_match("/\*|delete|drop|alter|modify|union|password|pass|insert|update/i", $sql)){
                 return "";
         }
         return $sql;
diff --git a/pandora_console/include/functions_db.php b/pandora_console/include/functions_db.php
index 5756b92793..5e4434e517 100644
--- a/pandora_console/include/functions_db.php
+++ b/pandora_console/include/functions_db.php
@@ -693,9 +693,9 @@ function get_agent_modules ($id_agent, $details = false, $filter = false, $index
 		%s
 		ORDER BY nombre',
 		($details != '*' && $indexed) ? 'id_agente_modulo,' : '',
-		implode (",", (array) $details),
+		safe_output(implode (",", (array) $details)),
 		$where);
-	$sql = safe_output($sql);
+
 	$result = get_db_all_rows_sql ($sql);
 	
 	if (empty ($result)) {
diff --git a/pandora_console/include/functions_modules.php b/pandora_console/include/functions_modules.php
index 6a6b8785d4..52f9fe0945 100644
--- a/pandora_console/include/functions_modules.php
+++ b/pandora_console/include/functions_modules.php
@@ -2,7 +2,7 @@
 
 // Pandora FMS - http://pandorafms.com
 // ==================================================
-// Copyright (c) 2005-2009 Artica Soluciones Tecnologicas
+// Copyright (c) 2005-2010 Artica Soluciones Tecnologicas
 // Please see http://pandorafms.org for full contribution list
 
 // This program is free software; you can redistribute it and/or
@@ -120,6 +120,9 @@ function copy_agent_module_to_agent ($id_agent_module, $id_destiny_agent, $force
  * @return True if the module was deleted. False if not.
  */
 function delete_agent_module ($id_agent_module) {
+	if(!$id_agent_module) 
+		return false;
+		
 	$where = array ('id_agent_module' => $id_agent_module);
 	
 	enterprise_hook('deleteLocalModuleInConf', array(get_agentmodule_agent($id_agent_module), get_agentmodule_name($id_agent_module)));
diff --git a/pandora_console/include/functions_reporting.php b/pandora_console/include/functions_reporting.php
index 772f8b5c8f..451c8d06da 100644
--- a/pandora_console/include/functions_reporting.php
+++ b/pandora_console/include/functions_reporting.php
@@ -1968,29 +1968,37 @@ function render_report_html_item ($content, $table, $report, $mini = false) {
 			}
 			
 			if ($content['treport_custom_sql_id'] != 0) {
-				$sql = safe_output (get_db_value_filter('`sql`', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
+				$sql = safe_output_html (get_db_value_filter('`sql`', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
 			}
 			else {
-				$sql = safe_output ($content['external_source']);
+				$sql = safe_output_html ($content['external_source']);
 			}
 
             // Do a security check on SQL coming from the user
             $sql = check_sql ($sql);
-
-			$result = get_db_all_rows_sql($sql);
-			if ($result === false) {
-				$result = array();
-			}
 			
-			if (isset($result[0])) {
-				if (count($result[0]) > count($table2->head)) {
-					$table2->head = array_pad($table2->head, count($result[0]), '&nbsp;');
+			if($sql != '') {
+				$result = get_db_all_rows_sql($sql);
+				if ($result === false) {
+					$result = array();
+				}
+				
+				if (isset($result[0])) {
+					if (count($result[0]) > count($table2->head)) {
+						$table2->head = array_pad($table2->head, count($result[0]), '&nbsp;');
+					}
+				}
+				
+				$table2->data = array();
+				foreach ($result as $row) {
+					array_push($table2->data, $row);
 				}
 			}
-			
-			$table2->data = array();
-			foreach ($result as $row) {
-				array_push($table2->data, $row);
+			else {
+				$table2->data = array();
+				array_push($table2->data, array("id_user" => "<div class='nf'>[".__('Illegal query')."]<br>".
+				__('Due security restrictions, there are some tokens or words you cannot use').
+				': *, delete, drop, alter, modify, union, password, pass, insert '.__('or')." update.</div>"));
 			}
 			
 			$cellContent = print_table($table2, true);
diff --git a/pandora_console/operation/agentes/ver_agente.php b/pandora_console/operation/agentes/ver_agente.php
index 7d1d25f7b4..ac6612e3cb 100644
--- a/pandora_console/operation/agentes/ver_agente.php
+++ b/pandora_console/operation/agentes/ver_agente.php
@@ -111,7 +111,7 @@ if (is_ajax ()) {
 		
 		$result = array();
 		foreach($nameModules as $nameModule) {
-			$result[] = $nameModule['nombre'];
+			$result[] = safe_output($nameModule['nombre']);
 		}
 		
 		echo json_encode($result);
@@ -127,7 +127,7 @@ if (is_ajax ()) {
 		
 		if ($agentName != null) {
 				$search = array();
-				$search['name'] = $agentName;
+				$search['name'] = safe_output($agentName);
 		}
 		else
 			$search = false;