diff --git a/database.php b/database.php index a3d1d3a..7bdf7ce 100644 --- a/database.php +++ b/database.php @@ -72,6 +72,17 @@ function syslog_db_fetch_cell($sql, $col_name = '', $log = TRUE) { return db_fetch_cell($sql, $col_name, $log, $syslog_cnn); } +/* syslog_db_fetch_assoc_prepared - run a 'select' sql query and return all rows found + @arg $sql - the sql query to run + @arg $params - the parameters to bind to the query + @arg $log - whether or not to log the query to the cacti log + @returns - the complete result set as an associative array */ +function syslog_db_fetch_assoc_prepared($sql, $params = array(), $log = TRUE) { + global $syslog_cnn; + + return db_fetch_assoc_prepared($sql, $params, $log, $syslog_cnn); +} + /* syslog_db_fetch_cell_prepared - run a 'select' sql query and return the first column of the first row found @param $sql - the sql query to execute @@ -128,4 +139,3 @@ function syslog_sql_save($array_items, $table_name, $key_cols = 'id', $autoinc = global $syslog_cnn; return sql_save($array_items, $table_name, $key_cols, $autoinc, $syslog_cnn); } - diff --git a/functions.php b/functions.php index 5c6c7c0..bed0360 100644 --- a/functions.php +++ b/functions.php @@ -226,6 +226,12 @@ function syslog_remove_items($table, $uniqueID) { if (sizeof($rows)) { foreach($rows as $remove) { + /* SQL expressions are legacy, untrusted input and cannot be safely bound + * as prepared-statement values. Ignore them rather than executing raw SQL. */ + if ($remove['type'] == 'sql') { + cacti_log('Syslog SQL removal rules are disabled for safety.', false, 'SYSTEM'); + continue; + } $sql = ''; $sql1 = ''; if ($remove['type'] == 'facility') { @@ -800,4 +806,3 @@ function syslog_manage_items($from_table, $to_table) { return array('removed' => $removed, 'xferred' => $xferred); } - diff --git a/setup.php b/setup.php index e70d620..92d578b 100644 --- a/setup.php +++ b/setup.php @@ -928,7 +928,6 @@ function syslog_config_arrays () { 'messagee' => __('Ends with', 'syslog'), 'host' => __('Hostname is', 'syslog'), 'facility' => __('Facility is', 'syslog'), - 'sql' => __('SQL Expression', 'syslog') ); $syslog_freqs = array( @@ -1093,4 +1092,3 @@ function syslog_utilities_list() { ' . (get_request_var('host') != '-2' ? $r['host']:'-') . ''; + echo '' . (get_request_var('host') != '-2' ? htmlspecialchars($r['host'], ENT_QUOTES, 'UTF-8'):'-') . ''; echo '' . (get_request_var('facility') != '-2' ? ucfirst($r['facility']):'-') . ''; echo '' . (get_request_var('priority') != '-2' ? ucfirst($r['priority']):'-') . ''; - echo '' . (get_request_var('program') != '-2' ? ucfirst($r['program']):'-') . ''; + echo '' . (get_request_var('program') != '-2' ? htmlspecialchars(ucfirst($r['program']), ENT_QUOTES, 'UTF-8'):'-') . ''; //echo '' . $r['insert_time'] . ''; echo '' . $time . ''; echo '' . number_format_i18n($r['records'], -1) . ''; @@ -1667,4 +1667,3 @@ function get_ajax_programs($include_any = true, $sql_where = '') { print json_encode($return); } - diff --git a/syslog_process.php b/syslog_process.php index 681632b..7d53c8b 100644 --- a/syslog_process.php +++ b/syslog_process.php @@ -272,43 +272,56 @@ $smsalert = ''; $th_sql = ''; + $params = array(); if ($alert['type'] == 'facility') { $sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming` - WHERE ' . $syslog_incoming_config['facilityField'] . "='" . $alert['message'] . "' - AND status=" . $uniqueID; + WHERE ' . $syslog_incoming_config['facilityField'] . '=? + AND status=?'; + $params[] = $alert['message']; + $params[] = $uniqueID; } else if ($alert['type'] == 'messageb') { $sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming` - WHERE ' . $syslog_incoming_config['textField'] . " - LIKE '" . $alert['message'] . "%' - AND status=" . $uniqueID; + WHERE ' . $syslog_incoming_config['textField'] . ' + LIKE ? + AND status=?'; + $params[] = $alert['message'] . '%'; + $params[] = $uniqueID; } else if ($alert['type'] == 'messagec') { $sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming` - WHERE ' . $syslog_incoming_config['textField'] . " - LIKE '%" . $alert['message'] . "%' - AND status=" . $uniqueID; + WHERE ' . $syslog_incoming_config['textField'] . ' + LIKE ? + AND status=?'; + $params[] = '%' . $alert['message'] . '%'; + $params[] = $uniqueID; } else if ($alert['type'] == 'messagee') { $sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming` - WHERE ' . $syslog_incoming_config['textField'] . " - LIKE '%" . $alert['message'] . "' - AND status=" . $uniqueID; + WHERE ' . $syslog_incoming_config['textField'] . ' + LIKE ? + AND status=?'; + $params[] = '%' . $alert['message']; + $params[] = $uniqueID; } else if ($alert['type'] == 'host') { $sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming` - WHERE ' . $syslog_incoming_config['hostField'] . "='" . $alert['message'] . "' - AND status=" . $uniqueID; + WHERE ' . $syslog_incoming_config['hostField'] . '=? + AND status=?'; + $params[] = $alert['message']; + $params[] = $uniqueID; } else if ($alert['type'] == 'sql') { $sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming` - WHERE (' . $alert['message'] . ') - AND status=' . $uniqueID; + WHERE (?) + AND status=?'; + $params[] = $alert['message']; + $params[] = $uniqueID; } if ($sql != '') { if ($alert['method'] == '1') { $th_sql = str_replace('*', 'count(*)', $sql); - $count = syslog_db_fetch_cell($th_sql); + $count = syslog_db_fetch_cell_prepared($th_sql, $params); } if (($alert['method'] == '1' && $count >= $alert['num']) || ($alert['method'] == '0')) { - $at = syslog_db_fetch_assoc($sql); + $at = syslog_db_fetch_assoc_prepared($sql, $params); /* get a date for the repeat alert */ if ($alert['repeat_alert']) {