Escape services commands properly. (#9269)

* Attempt to escape services commands properly. * Add LC_NUMERIC="C" back * Updated create-service to only faily if a dbUpdate fails
librenms · Oct 17, 2018 · 10432b1 · 10432b1
1 parent f049593
commit 10432b1
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 10 deletions.
diff --git a/html/includes/forms/create-service.inc.php b/html/includes/forms/create-service.inc.php
@@ -28,7 +28,7 @@
 if (is_numeric($service_id) && $service_id > 0) {
     // Need to edit.
     $update = array('service_desc' => $desc, 'service_ip' => $ip, 'service_param' => $param);
-    if (edit_service($update, $service_id)) {
+    if (is_numeric(edit_service($update, $service_id))) {
         $status = array('status' =>0, 'message' => 'Modified Service: <i>'.$service_id.': '.$type.'</i>');
     } else {
         $status = array('status' =>1, 'message' => 'ERROR: Failed to modify service: <i>'.$service_id.'</i>');

diff --git a/includes/services.inc.php b/includes/services.inc.php
@@ -137,9 +137,6 @@ function poll_service($service)
     // Some debugging
     d_echo("\nNagios Service - $service_id\n");
     // the check_service function runs $check_cmd through escapeshellcmd, so
-    // echo the command as it will be run after being escaped
-    $escaped_check_cmd = escapeshellcmd($check_cmd);
-    d_echo("Request:  $escaped_check_cmd\n");
     list($new_status, $msg, $perf) = check_service($check_cmd);
     d_echo("Response: $msg\n");
 
@@ -215,21 +212,22 @@ function poll_service($service)
 
 function check_service($command)
 {
-    global $config;
     // This array is used to test for valid UOM's to be used for graphing.
     // Valid values from: https://nagios-plugins.org/doc/guidelines.html#AEN200
     // Note: This array must be decend from 2 char to 1 char so that the search works correctly.
     $valid_uom = array ('us', 'ms', 'KB', 'MB', 'GB', 'TB', 'c', 's', '%', 'B');
 
     // Make our command safe.
-    $p_config = HTMLPurifier_Config::createDefault();
-    $p_config->set('Cache.SerializerPath', $config['temp_dir']);
-    $purifier = new HTMLPurifier($p_config);
+    $parts = preg_split('~(?:\'[^\']*\'|"[^"]*")(*SKIP)(*F)|\h+~', trim($command));
+    $safe_command = implode(' ', array_map(function ($part) {
+        $trimmed = preg_replace('/^(\'(.*)\'|"(.*)")$/', '$2$3', $part);
+        return escapeshellarg($trimmed);
+    }, $parts));
 
-    $command = 'LC_NUMERIC="C" '. $purifier->purify($command);
+    d_echo("Request:  $safe_command\n");
 
     // Run the command and return its response.
-    exec($command, $response_array, $status);
+    exec('LC_NUMERIC="C" ' . $safe_command, $response_array, $status);
 
     // exec returns an array, lets implode it back to a string.
     $response_string = implode("\n", $response_array);