Skip to content
Permalink
Browse files Browse the repository at this point in the history
Add limitation for view names. Fixes #160
  • Loading branch information
vvuksan committed Mar 6, 2013
1 parent 93be702 commit 552965f
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 66 deletions.
12 changes: 12 additions & 0 deletions functions.php
Expand Up @@ -365,6 +365,18 @@ function is_valid_hex_color( $string )

}

#------------------------------------------------------------------------------
# Allowed view name characters are alphanumeric plus space, dash and underscore
function is_proper_view_name( $string )
{
if(preg_match("/[^a-zA-z0-9_\-\ ]/", $string)){
return false;
} else {
return true;
}
}


#------------------------------------------------------------------------------
# Return a shortened version of a FQDN
# if "hostname" is numeric only, assume it is an IP instead
Expand Down
6 changes: 4 additions & 2 deletions get_context.php
Expand Up @@ -15,8 +15,10 @@
$user['gridname'] = isset($_GET["G"]) ?
escapeshellcmd( clean_string( rawurldecode($_GET["G"]) ) ) : NULL;

$user['viewname'] = isset($_GET["vn"]) ?
escapeshellcmd( clean_string( rawurldecode($_GET["vn"]) ) ) : '';
$user['viewname'] = '';
if ( isset($_GET["vn"]) && is_proper_view_name ($_GET["vn"]) ) {
$user['viewname'] = $_GET["vn"];
}

if($conf['case_sensitive_hostnames'] == 1) {
$user['hostname'] = isset($_GET["h"]) ?
Expand Down
55 changes: 0 additions & 55 deletions views.php

This file was deleted.

34 changes: 25 additions & 9 deletions views_view.php
Expand Up @@ -6,6 +6,20 @@
if (! checkAccess(GangliaAcl::ALL_VIEWS, GangliaAcl::VIEW, $conf))
die("You do not have access to view views.");

$user['view_name'] = $_REQUEST['view_name'];

if( !is_proper_view_name ( $user['view_name'])){
?>
<div class="ui-widget">
<div class="ui-state-default ui-corner-all" styledefault="padding: 0 .7em;">
<p><span class="ui-icon ui-icon-alert" style="float: left; margin-right: .3em;"></span>
View names valid characters are 0-9, a-z, A-Z, -, _ and space. View has not been created.</p>
</div>
</div>
<?php
exit(0);
}

///////////////////////////////////////////////////////////////////////////////
// Create new view
///////////////////////////////////////////////////////////////////////////////
Expand All @@ -19,19 +33,20 @@
$available_views = get_available_views();

foreach ($available_views as $view_id => $view) {
if ($view['view_name'] == $_GET['view_name']) {
if ($view['view_name'] == $user['view_name']) {
$view_exists = 1;
break;
}
}

if ($view_exists == 1) {
$output = "<strong>Alert:</strong> View with the name " .
$_GET['view_name'] .
$user['view_name'] .
" already exists.";
} else {
$empty_view = array ("view_name" => $_GET['view_name'],
$empty_view = array ("view_name" => $user['view_name'],
"items" => array());
$view_suffix = str_replace(" ", "_", $_GET['view_name']);
$view_suffix = str_replace(" ", "_", $user['view_name']);
$view_filename = $conf['views_dir'] . "/view_" . preg_replace('/[^a-zA-Z0-9_-]/', '', $view_suffix) . ".json";
if ( pathinfo( $view_filename, PATHINFO_DIRNAME ) != $conf['views_dir'] ) {
die('Invalid path detected');
Expand Down Expand Up @@ -71,17 +86,18 @@
$available_views = get_available_views();

foreach ($available_views as $view_id => $view) {
if ($view['view_name'] == $_GET['view_name']) {
if ($view['view_name'] == $user['view_name']) {
$view_exists = 1;
break;
}
}

if ($view_exists != 1) {
$output = "<strong>Alert:</strong> View with the name " .
$_GET['view_name'] .
$user['view_name'] .
" does not exist.";
} else {
$view_suffix = str_replace(" ", "_", $_GET['view_name']);
$view_suffix = str_replace(" ", "_", $user['view_name']);
$view_filename = $conf['views_dir'] . "/view_" . preg_replace('/[^a-zA-Z0-9_-]/', '', $view_suffix) . ".json";
if ( pathinfo( $view_filename, PATHINFO_DIRNAME ) != $conf['views_dir'] ) {
die('Invalid path detected');
Expand Down Expand Up @@ -109,15 +125,15 @@
$available_views = get_available_views();

foreach ($available_views as $view_id => $view) {
if ($view['view_name'] == $_GET['view_name']) {
if ($view['view_name'] == $user['view_name']) {
$view_exists = 1;
break;
}
}

if ($view_exists == 0) {
$output = "<strong>Alert:</strong> View " .
$_GET['view_name'] .
$user['view_name'] .
" does not exist. This should not happen.";
} else {
// Read in contents of an existing view
Expand Down

0 comments on commit 552965f

Please sign in to comment.