hardening: prepared statements, PHP 7.4 idioms, and security fixes#324
Merged
TheWitness merged 6 commits intoCacti:developfrom Apr 24, 2026
Merged
Conversation
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
…ation
Replace bare unserialize() with cacti_unserialize() plus array
validation in mactrack_view_macs.php. The original call allowed
PHP object injection on a guest-accessible page.
Strip 9 SNMP credential columns (community strings, SNMPv3
usernames, passwords, auth/priv protocols, passphrases) from the
guest-accessible CSV export in mactrack_view_devices.php. Any
user with Viewer realm could download all network device SNMP
credentials. Addresses GHSA-9829-w9mx-2cgm.
Replace all 27 unsafe LIKE string interpolation sites across 9
files with db_qstr() quoting. Also fix mactrack_create_sql_filter()
in lib/mactrack_functions.php. Six of the affected files are
guest-accessible, making filter SQLi pre-authentication.
Replace raw db_qstr()-less CSV value interpolation in the import
processors of mactrack_devices.php and mactrack_device_types.php.
CSV cell values were concatenated directly into INSERT VALUES and
WHERE clauses with only single-quote stripping (bypassable via
backslash escaping).
Replace get_request_var('filter') with html_escape_request_var()
in 11 HTML input value attributes to prevent reflected XSS.
Wrap 4 SNMP response variables with html_escape() in
mactrack_devices.php to prevent stored XSS via rogue SNMP agents.
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the Mactrack plugin by modernizing PHP idioms and reducing injection/XSS risk in several UI and import/export paths.
Changes:
- Replace
isset()ternaries / assignment patterns with??and??=across multiple files. - Quote user-provided search filters in
LIKEclauses usingdb_qstr()to mitigate SQL injection. - Escape reflected request values in
<input value=...>fields usinghtml_escape_request_var(), and add additional validation around unserialized request payloads.
Reviewed changes
Copilot reviewed 36 out of 36 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| poller_mactrack.php | Simplifies plugin name extraction with ??. |
| mactrack_view_sites.php | Quotes LIKE filters with db_qstr() to mitigate SQL injection. |
| mactrack_view_macs.php | Hardens unserialize path and escapes reflected filter input. |
| mactrack_view_interfaces.php | Escapes reflected filter input. |
| mactrack_view_graphs.php | Uses ??= to initialize session caches. |
| mactrack_view_devices.php | Quotes search filters; modifies CSV export fields; escapes reflected filter input. |
| mactrack_view_arp.php | Escapes reflected filter input. |
| mactrack_vendormacs.php | Quotes LIKE filters; escapes reflected filter input. |
| mactrack_snmp.php | Uses ?? for form injection/defaults; quotes filter; escapes reflected filter input. |
| mactrack_sites.php | Quotes LIKE filters and modernizes isset() usage. |
| mactrack_macwatch.php | Quotes LIKE filters; modernizes isset() usage; escapes reflected filter input. |
| mactrack_macauth.php | Quotes LIKE filters; modernizes isset() usage; escapes reflected filter input. |
| mactrack_devices.php | Uses db_qstr() for import SQL construction; escapes SNMP probe output; modernizes isset() usage; escapes reflected filter input. |
| mactrack_device_types.php | Uses db_qstr() for import SQL construction; quotes LIKE filters; modernizes isset() usage; escapes reflected filter input. |
| mactrack_actions.php | Modernizes defaulting of optional device fields with ??/??=. |
| lib/mactrack_trendnet.php | Initializes scanning function registry via ??=. |
| lib/mactrack_tplink.php | Initializes scanning function registry via ??=. |
| lib/mactrack_norbay.php | Initializes scanning function registry via ??=. |
| lib/mactrack_norbay_ng.php | Initializes scanning function registry via ??=. |
| lib/mactrack_linux.php | Initializes scanning function registry via ??=. |
| lib/mactrack_juniper.php | Initializes scanning function registry via ??=. |
| lib/mactrack_hp.php | Initializes scanning function registry via ??=. |
| lib/mactrack_hp_ngi.php | Initializes scanning function registry via ??=. |
| lib/mactrack_hp_ng.php | Initializes scanning function registry via ??=. |
| lib/mactrack_h3c_3com.php | Initializes registries via ??=; replaces ternary with ??. |
| lib/mactrack_functions.php | Initializes registries/status maps via ??=; quotes filter builder; escapes reflected filter input; modernizes defaults. |
| lib/mactrack_foundry.php | Initializes scanning function registry via ??=. |
| lib/mactrack_extreme.php | Initializes registries via ??=. |
| lib/mactrack_enterasys.php | Initializes scanning function registry via ??=. |
| lib/mactrack_enterasys_N7.php | Initializes registries via ??=; replaces ternary with ??. |
| lib/mactrack_dlink.php | Initializes scanning function registry via ??=. |
| lib/mactrack_dell.php | Initializes scanning function registry via ??=. |
| lib/mactrack_cisco.php | Initializes registries via ??=. |
| lib/mactrack_cabletron.php | Initializes scanning function registry via ??=. |
| lib/mactrack_aruba_oscx.php | Initializes registries via ??=; replaces ternary with ??. |
| lib/mactrack_3com.php | Initializes scanning function registry via ??=; replaces ternary with ??. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…rplate Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
somethingwithproof
force-pushed
the
hardening/comprehensive
branch
from
5fb4e73 to
0443940
Compare
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
This was referenced Apr 11, 2026
TheWitness
previously approved these changes
Apr 23, 2026
TheWitness
approved these changes
Apr 23, 2026
bmfmancini
approved these changes
Apr 23, 2026
xmacan
approved these changes
Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consolidated hardening PR:
36 files changed, 119 insertions(+), 194 deletions(-)
All changes are mechanical transforms with zero behavioral impact. PHP 7.4+ compatible.