diff options
| -rw-r--r-- | net/cacti/Makefile | 5 | ||||
| -rw-r--r-- | net/cacti/PLIST | 78 | ||||
| -rw-r--r-- | net/cacti/distinfo | 16 | ||||
| -rw-r--r-- | net/cacti/patches/patch-cdef.php | 20 | ||||
| -rw-r--r-- | net/cacti/patches/patch-graph_xport.php | 71 | ||||
| -rw-r--r-- | net/cacti/patches/patch-host.php | 18 | ||||
| -rw-r--r-- | net/cacti/patches/patch-install_index.php | 132 | ||||
| -rw-r--r-- | net/cacti/patches/patch-lib_api_device.php | 17 | ||||
| -rw-r--r-- | net/cacti/patches/patch-lib_graph_export.php | 28 | ||||
| -rw-r--r-- | net/cacti/patches/patch-lib_rrd.php | 49 |
10 files changed, 77 insertions, 357 deletions
diff --git a/net/cacti/Makefile b/net/cacti/Makefile index 5ac3818a1b7..fb330e1ddf4 100644 --- a/net/cacti/Makefile +++ b/net/cacti/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.25 2015/03/11 07:39:15 nils Exp $ +# $NetBSD: Makefile,v 1.26 2015/03/11 13:56:46 adam Exp $ -DISTNAME= cacti-0.8.8b -PKGREVISION= 4 +DISTNAME= cacti-0.8.8c CATEGORIES= net MASTER_SITES= http://www.cacti.net/downloads/ diff --git a/net/cacti/PLIST b/net/cacti/PLIST index f2c9232da7b..0e82dadd2b4 100644 --- a/net/cacti/PLIST +++ b/net/cacti/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.6 2015/03/11 07:39:15 nils Exp $ +@comment $NetBSD: PLIST,v 1.7 2015/03/11 13:56:46 adam Exp $ bin/cacti-poller share/cacti/LICENSE share/cacti/README @@ -203,6 +203,10 @@ share/cacti/images/move_left.gif share/cacti/images/move_right.gif share/cacti/images/move_up.gif share/cacti/images/reload_icon_small.gif +share/cacti/images/server.png +share/cacti/images/server_chart.png +share/cacti/images/server_chart_curve.png +share/cacti/images/server_dataquery.png share/cacti/images/shadow.gif share/cacti/images/shadow_gray.gif share/cacti/images/show.gif @@ -224,11 +228,68 @@ share/cacti/images/uninstall_icon.gif share/cacti/images/view_none.gif share/cacti/include/auth.php share/cacti/include/bottom_footer.php +share/cacti/include/csrf/csrf-magic.js +share/cacti/include/csrf/csrf-magic.php +share/cacti/include/csrf/index.php share/cacti/include/global.php share/cacti/include/global_arrays.php share/cacti/include/global_constants.php share/cacti/include/global_form.php share/cacti/include/global_settings.php +share/cacti/include/js/colorpicker.js +share/cacti/include/js/images/ui-bg_diagonals-thick_18_b81900_40x40.png +share/cacti/include/js/images/ui-bg_diagonals-thick_20_666666_40x40.png +share/cacti/include/js/images/ui-bg_flat_10_000000_40x100.png +share/cacti/include/js/images/ui-bg_glass_100_f6f6f6_1x400.png +share/cacti/include/js/images/ui-bg_glass_100_fdf5ce_1x400.png +share/cacti/include/js/images/ui-bg_glass_65_ffffff_1x400.png +share/cacti/include/js/images/ui-bg_gloss-wave_35_f6a828_500x100.png +share/cacti/include/js/images/ui-bg_highlight-soft_100_eeeeee_1x100.png +share/cacti/include/js/images/ui-bg_highlight-soft_75_ffe45c_1x100.png +share/cacti/include/js/images/ui-icons_222222_256x240.png +share/cacti/include/js/images/ui-icons_228ef1_256x240.png +share/cacti/include/js/images/ui-icons_ef8c08_256x240.png +share/cacti/include/js/images/ui-icons_ffd27a_256x240.png +share/cacti/include/js/images/ui-icons_ffffff_256x240.png +share/cacti/include/js/jquery-ui.css +share/cacti/include/js/jquery-ui.js +share/cacti/include/js/jquery.cookie.js +share/cacti/include/js/jquery.dd.js +share/cacti/include/js/jquery.dropdown.js +share/cacti/include/js/jquery.easytabs.js +share/cacti/include/js/jquery.js +share/cacti/include/js/jquery.tablednd.js +share/cacti/include/js/jquery.timepicker.js +share/cacti/include/js/jquery.zoom.css +share/cacti/include/js/jquery.zoom.js +share/cacti/include/js/jstree.js +share/cacti/include/js/themes/default-dark/32px.png +share/cacti/include/js/themes/default-dark/40px.png +share/cacti/include/js/themes/default-dark/style.css +share/cacti/include/js/themes/default-dark/style.min.css +share/cacti/include/js/themes/default-dark/throbber.gif +share/cacti/include/js/themes/default/32px.png +share/cacti/include/js/themes/default/40px.png +share/cacti/include/js/themes/default/style.css +share/cacti/include/js/themes/default/style.min.css +share/cacti/include/js/themes/default/throbber.gif +share/cacti/include/js/themes/proton/30px.png +share/cacti/include/js/themes/proton/32px.png +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-bold-webfont.eot +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-bold-webfont.svg +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-bold-webfont.ttf +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-bold-webfont.woff +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-extralight-webfont.eot +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-extralight-webfont.svg +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-extralight-webfont.ttf +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-extralight-webfont.woff +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-regular-webfont.eot +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-regular-webfont.svg +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-regular-webfont.ttf +share/cacti/include/js/themes/proton/fonts/titillium/titilliumweb-regular-webfont.woff +share/cacti/include/js/themes/proton/style.css +share/cacti/include/js/themes/proton/style.min.css +share/cacti/include/js/themes/proton/throbber.gif share/cacti/include/jscalendar/calendar-setup.js share/cacti/include/jscalendar/calendar.js share/cacti/include/jscalendar/lang/calendar-af.js @@ -279,18 +340,6 @@ share/cacti/include/main.css share/cacti/include/plugins.php share/cacti/include/top_graph_header.php share/cacti/include/top_header.php -share/cacti/include/treeview/ftiens4.js -share/cacti/include/treeview/ftiens4_export.js -share/cacti/include/treeview/ftv2blank.gif -share/cacti/include/treeview/ftv2lastnode.gif -share/cacti/include/treeview/ftv2mlastnode.gif -share/cacti/include/treeview/ftv2mnode.gif -share/cacti/include/treeview/ftv2node.gif -share/cacti/include/treeview/ftv2plastnode.gif -share/cacti/include/treeview/ftv2pnode.gif -share/cacti/include/treeview/ftv2vertline.gif -share/cacti/include/treeview/ua.js -share/cacti/include/zoom.js share/cacti/index.php share/cacti/install/0_8_1_to_0_8_2.php share/cacti/install/0_8_2_to_0_8_2a.php @@ -316,7 +365,8 @@ share/cacti/install/0_8_7g_to_0_8_7h.php share/cacti/install/0_8_7h_to_0_8_7i.php share/cacti/install/0_8_7i_to_0_8_8.php share/cacti/install/0_8_8_to_0_8_8a.php -share/cacti/install/0_8_8_to_0_8_8b.php +share/cacti/install/0_8_8a_to_0_8_8b.php +share/cacti/install/0_8_8b_to_0_8_8c.php share/cacti/install/0_8_to_0_8_1.php share/cacti/install/index.php share/cacti/install/install_finish.gif diff --git a/net/cacti/distinfo b/net/cacti/distinfo index 12436d645b4..d547f7991ca 100644 --- a/net/cacti/distinfo +++ b/net/cacti/distinfo @@ -1,15 +1,9 @@ -$NetBSD: distinfo,v 1.5 2014/08/23 12:50:25 adam Exp $ +$NetBSD: distinfo,v 1.6 2015/03/11 13:56:46 adam Exp $ -SHA1 (cacti-0.8.8b.tar.gz) = 84979416ae08d586064328d6451a3108b74a3b06 -RMD160 (cacti-0.8.8b.tar.gz) = a2c88961565c6b5d593b4f2603514139800c9145 -Size (cacti-0.8.8b.tar.gz) = 2272130 bytes +SHA1 (cacti-0.8.8c.tar.gz) = 6fdcaf59a7467ac593d4940e5a65338bdea5475b +RMD160 (cacti-0.8.8c.tar.gz) = 591d08d27824444b68e4f517eb52be8bd08fc5f4 +Size (cacti-0.8.8c.tar.gz) = 2908451 bytes SHA1 (patch-cacti.sql) = 37e18026c4136630d939ab5a7a4d6336bf166282 -SHA1 (patch-cdef.php) = ee898fcbb0da5db1a1127ba54fbf72c308df47eb -SHA1 (patch-graph_xport.php) = 275717883721c674ab149e163be0ba780b86b11b -SHA1 (patch-host.php) = 679fd76c81a719d949e023cecc4cc0c47ac6acf4 SHA1 (patch-include_global.php) = fb0d2f15596b051c60ed6032ecb9038315b7c663 SHA1 (patch-include_global__settings.php) = 54ffd0c3fc9d927595b1568a874c45a4a6033f7b -SHA1 (patch-install_index.php) = e5ee36159968e1ca160aba953e02b9e80a2eb5d9 -SHA1 (patch-lib_api_device.php) = 0a2d495a0245c8957bfd5214a5e79dbb31f135c4 -SHA1 (patch-lib_graph_export.php) = ef91e864bc830653fbcf490419d39511aa7a258e -SHA1 (patch-lib_rrd.php) = cf7483d9a67f9f146d130de7da86a0f37f1041c9 +SHA1 (patch-install_index.php) = bc4737d8521d0cff37e18511687be9d258216b6e diff --git a/net/cacti/patches/patch-cdef.php b/net/cacti/patches/patch-cdef.php deleted file mode 100644 index e657d06fe06..00000000000 --- a/net/cacti/patches/patch-cdef.php +++ /dev/null @@ -1,20 +0,0 @@ -$NetBSD: patch-cdef.php,v 1.1 2014/08/23 12:50:25 adam Exp $ - -Fixes for: -CVE-2014-2326 Unspecified HTML Injection Vulnerability -CVE-2014-2328 Unspecified Remote Command Execution Vulnerability -CVE-2014-2708 Unspecified SQL Injection Vulnerability -CVE-2014-2709 Unspecified Remote Command Execution Vulnerability - ---- cdef.php.orig 2013-08-06 22:31:19.000000000 -0400 -+++ cdef.php 2014-04-04 21:39:04.000000000 -0400 -@@ -431,7 +431,7 @@ - <a class="linkEditMain" href="<?php print htmlspecialchars("cdef.php?action=item_edit&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>">Item #<?php print htmlspecialchars($i);?></a> - </td> - <td> -- <em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print get_cdef_item_name($cdef_item["id"]);?></strong> -+ <em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print htmlspecialchars(get_cdef_item_name($cdef_item["id"]));?></strong> - </td> - <td> - <a href="<?php print htmlspecialchars("cdef.php?action=item_movedown&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>"><img src="images/move_down.gif" border="0" alt="Move Down"></a> -diff -ruBbd graph_xport.php graph_xport.php diff --git a/net/cacti/patches/patch-graph_xport.php b/net/cacti/patches/patch-graph_xport.php deleted file mode 100644 index bc59aa49ddc..00000000000 --- a/net/cacti/patches/patch-graph_xport.php +++ /dev/null @@ -1,71 +0,0 @@ -$NetBSD: patch-graph_xport.php,v 1.1 2014/08/23 12:50:25 adam Exp $ - -Fixes for: -CVE-2014-2326 Unspecified HTML Injection Vulnerability -CVE-2014-2328 Unspecified Remote Command Execution Vulnerability -CVE-2014-2708 Unspecified SQL Injection Vulnerability -CVE-2014-2709 Unspecified Remote Command Execution Vulnerability - ---- graph_xport.php.orig 2013-08-06 22:31:19.000000000 -0400 -+++ graph_xport.php 2014-04-04 21:39:04.000000000 -0400 -@@ -47,43 +47,48 @@ - - $graph_data_array = array(); - -+/* ================= input validation ================= */ -+input_validate_input_number(get_request_var("local_graph_id")); -+input_validate_input_number(get_request_var("rra_id")); -+/* ==================================================== */ -+ - /* override: graph start time (unix time) */ --if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) { -- $graph_data_array["graph_start"] = $_GET["graph_start"]; -+if (!empty($_GET["graph_start"]) && is_numeric($_GET["graph_start"] && $_GET["graph_start"] < 1600000000)) { -+ $graph_data_array["graph_start"] = get_request_var("graph_start"); - } - - /* override: graph end time (unix time) */ --if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) { -- $graph_data_array["graph_end"] = $_GET["graph_end"]; -+if (!empty($_GET["graph_end"]) && is_numeric($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) { -+ $graph_data_array["graph_end"] = get_request_var("graph_end"); - } - - /* override: graph height (in pixels) */ --if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) { -- $graph_data_array["graph_height"] = $_GET["graph_height"]; -+if (!empty($_GET["graph_height"]) && is_numeric($_GET["graph_height"]) && $_GET["graph_height"] < 3000) { -+ $graph_data_array["graph_height"] = get_request_var("graph_height"); - } - - /* override: graph width (in pixels) */ --if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) { -- $graph_data_array["graph_width"] = $_GET["graph_width"]; -+if (!empty($_GET["graph_width"]) && is_numeric($_GET["graph_width"]) && $_GET["graph_width"] < 3000) { -+ $graph_data_array["graph_width"] = get_request_var("graph_width"); - } - - /* override: skip drawing the legend? */ - if (!empty($_GET["graph_nolegend"])) { -- $graph_data_array["graph_nolegend"] = $_GET["graph_nolegend"]; -+ $graph_data_array["graph_nolegend"] = get_request_var("graph_nolegend"); - } - - /* print RRDTool graph source? */ - if (!empty($_GET["show_source"])) { -- $graph_data_array["print_source"] = $_GET["show_source"]; -+ $graph_data_array["print_source"] = get_request_var("show_source"); - } - --$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . $_REQUEST["local_graph_id"] . "'"); -+$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . get_request_var("local_graph_id") . "'"); - - /* for bandwidth, NThPercentile */ - $xport_meta = array(); - - /* Get graph export */ --$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array, $xport_meta); -+$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], get_request_var("rra_id"), $graph_data_array, $xport_meta); - - /* Make graph title the suggested file name */ - if (is_array($xport_array["meta"])) { diff --git a/net/cacti/patches/patch-host.php b/net/cacti/patches/patch-host.php deleted file mode 100644 index 1b27e7ccaad..00000000000 --- a/net/cacti/patches/patch-host.php +++ /dev/null @@ -1,18 +0,0 @@ -$NetBSD: patch-host.php,v 1.1 2014/01/08 20:51:28 tron Exp $ - -Fix vulnerability reported in SA54531. Patch taken from here: - -http://svn.cacti.net/viewvc?view=rev&revision=7420 - ---- host.php.orig 2013-08-07 03:31:19.000000000 +0100 -+++ host.php 2014-01-08 20:26:33.000000000 +0000 -@@ -149,6 +149,9 @@ - if ($_POST["snmp_version"] == 3 && ($_POST["snmp_password"] != $_POST["snmp_password_confirm"])) { - raise_message(4); - }else{ -+ input_validate_input_number(get_request_var_post("id")); -+ input_validate_input_number(get_request_var_post("host_template_id")); -+ - $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"], - trim($_POST["hostname"]), $_POST["snmp_community"], $_POST["snmp_version"], - $_POST["snmp_username"], $_POST["snmp_password"], diff --git a/net/cacti/patches/patch-install_index.php b/net/cacti/patches/patch-install_index.php index e149aa73e14..d519b434f09 100644 --- a/net/cacti/patches/patch-install_index.php +++ b/net/cacti/patches/patch-install_index.php @@ -1,15 +1,12 @@ -$NetBSD: patch-install_index.php,v 1.2 2014/01/08 20:51:28 tron Exp $ +$NetBSD: patch-install_index.php,v 1.3 2015/03/11 13:56:46 adam Exp $ - Find utilites in PREFIX first. - Fix-up hard coded user and path (documentaion only). - Make log directory configurable by package variable -- Fix vulnerability reported in SA54531. Patch taken from here: - http://svn.cacti.net/viewvc?view=rev&revision=7420 - ---- install/index.php.orig 2013-08-07 03:31:19.000000000 +0100 -+++ install/index.php 2014-01-08 20:26:33.000000000 +0000 -@@ -96,7 +96,7 @@ +--- install/index.php.orig 2014-11-23 20:18:57.000000000 +0000 ++++ install/index.php +@@ -96,7 +96,7 @@ function find_best_path($binary_name) { if ($config["cacti_server_os"] == "win32") { $search_paths = array("c:/usr/bin", "c:/cacti", "c:/rrdtool", "c:/spine", "c:/php", "c:/progra~1/php", "c:/net-snmp/bin", "c:/progra~1/net-snmp/bin", "d:/usr/bin", "d:/net-snmp/bin", "d:/progra~1/net-snmp/bin", "d:/cacti", "d:/rrdtool", "d:/spine", "d:/php", "d:/progra~1/php"); }else{ @@ -18,7 +15,7 @@ $NetBSD: patch-install_index.php,v 1.2 2014/01/08 20:51:28 tron Exp $ } for ($i=0; $i<count($search_paths); $i++) { -@@ -267,7 +267,7 @@ +@@ -267,7 +267,7 @@ $input["path_cactilog"]["description"] = if (config_value_exists("path_cactilog")) { $input["path_cactilog"]["default"] = read_config_option("path_cactilog"); } else { @@ -27,108 +24,7 @@ $NetBSD: patch-install_index.php,v 1.2 2014/01/08 20:51:28 tron Exp $ } /* SNMP Version */ -@@ -310,27 +310,28 @@ - } - - /* pre-processing that needs to be done for each step */ --if (empty($_REQUEST["step"])) { -- $_REQUEST["step"] = 1; --}else{ -- if ($_REQUEST["step"] == "1") { -- $_REQUEST["step"] = "2"; -- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "1")) { -- $_REQUEST["step"] = "3"; -- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "3")) { -- $_REQUEST["step"] = "8"; -- }elseif (($_REQUEST["step"] == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) { -- $_REQUEST["step"] = "9"; -- }elseif ($_REQUEST["step"] == "8") { -- $_REQUEST["step"] = "3"; -- }elseif ($_REQUEST["step"] == "9") { -- $_REQUEST["step"] = "3"; -- }elseif ($_REQUEST["step"] == "3") { -- $_REQUEST["step"] = "4"; -+if (isset($_REQUEST["step"]) && $_REQUEST["step"] > 0) { -+ $step = intval($_REQUEST["step"]); -+ if ($step == "1") { -+ $step = "2"; -+ } elseif (($step == "2") && ($_REQUEST["install_type"] == "1")) { -+ $step = "3"; -+ } elseif (($step == "2") && ($_REQUEST["install_type"] == "3")) { -+ $step = "8"; -+ } elseif (($step == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) { -+ $step = "9"; -+ } elseif ($step == "8") { -+ $step = "3"; -+ } elseif ($step == "9") { -+ $step = "3"; -+ } elseif ($step == "3") { -+ $step = "4"; - } -+} else { -+ $step = 1; - } - --if ($_REQUEST["step"] == "4") { -+if ($step == "4") { - include_once("../lib/data_query.php"); - include_once("../lib/utility.php"); - -@@ -366,7 +367,7 @@ - - header ("Location: ../index.php"); - exit; --}elseif (($_REQUEST["step"] == "8") && ($_REQUEST["install_type"] == "3")) { -+}elseif (($step == "8") && ($_REQUEST["install_type"] == "3")) { - /* if the version is not found, die */ - if (!is_int($old_version_index)) { - print " <p style='font-family: Verdana, Arial; font-size: 16px; font-weight: bold; color: red;'>Error</p> -@@ -505,7 +506,7 @@ - </tr> - <tr> - <td width="100%" style="font-size: 12px;"> -- <?php if ($_REQUEST["step"] == "1") { ?> -+ <?php if ($step == "1") { ?> - - <p>Thanks for taking the time to download and install cacti, the complete graphing - solution for your network. Before you can start making cool graphs, there are a few -@@ -530,7 +531,7 @@ - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details.</p> - -- <?php }elseif ($_REQUEST["step"] == "2") { ?> -+ <?php }elseif ($step == "2") { ?> - - <p>Please select the type of installation</p> - -@@ -551,7 +552,7 @@ - print "Server Operating System Type: " . $config["cacti_server_os"] . "<br>"; ?> - </p> - -- <?php }elseif ($_REQUEST["step"] == "3") { ?> -+ <?php }elseif ($step == "3") { ?> - - <p>Make sure all of these values are correct before continuing.</p> - <?php -@@ -609,7 +610,7 @@ - is an upgrade. You can change any of the settings on this screen at a later - time by going to "Cacti Settings" from within Cacti.</p> - -- <?php }elseif ($_REQUEST["step"] == "8") { ?> -+ <?php }elseif ($step == "8") { ?> - - <p>Upgrade results:</p> - -@@ -659,7 +660,7 @@ - print $upgrade_results; - ?> - -- <?php }elseif ($_REQUEST["step"] == "9") { ?> -+ <?php }elseif ($step == "9") { ?> - - <p style='font-size: 16px; font-weight: bold; color: red;'>Important Upgrade Notice</p> - -@@ -667,13 +668,13 @@ +@@ -670,7 +670,7 @@ if ($step == "4") { <p>See the sample crontab entry below with the change made in red. Your crontab line will look slightly different based upon your setup.</p> @@ -137,19 +33,3 @@ $NetBSD: patch-install_index.php,v 1.2 2014/01/08 20:51:28 tron Exp $ <p>Once you have made this change, please click Next to continue.</p> - <?php }?> - -- <p align="right"><input type="image" src="install_<?php if ($_REQUEST["step"] == "3") {?>finish<?php }else{?>next<?php }?>.gif" alt="<?php if ($_REQUEST["step"] == "3"){?>Finish<?php }else{?>Next<?php }?>"></p> -+ <p align="right"><input type="image" src="install_<?php if ($step == "3") {?>finish<?php }else{?>next<?php }?>.gif" alt="<?php if ($step == "3"){?>Finish<?php }else{?>Next<?php }?>"></p> - </td> - </tr> - </table> -@@ -681,7 +682,7 @@ - </tr> - </table> - --<input type="hidden" name="step" value="<?php print $_REQUEST["step"];?>"> -+<input type="hidden" name="step" value="<?php print $step;?>"> - - </form> - diff --git a/net/cacti/patches/patch-lib_api_device.php b/net/cacti/patches/patch-lib_api_device.php deleted file mode 100644 index b4c0a10dbbd..00000000000 --- a/net/cacti/patches/patch-lib_api_device.php +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-lib_api_device.php,v 1.1 2014/01/08 20:51:28 tron Exp $ - -Fix vulnerability reported in SA54531. Patch taken from here: - -http://svn.cacti.net/viewvc?view=rev&revision=7420 - ---- lib/api_device.php.orig 2013-08-07 03:31:18.000000000 +0100 -+++ lib/api_device.php 2014-01-08 20:26:33.000000000 +0000 -@@ -107,7 +107,7 @@ - $_host_template_id = db_fetch_cell("select host_template_id from host where id=$id"); - } - -- $save["id"] = $id; -+ $save["id"] = form_input_validate($id, "id", "^[0-9]+$", false, 3); - $save["host_template_id"] = form_input_validate($host_template_id, "host_template_id", "^[0-9]+$", false, 3); - $save["description"] = form_input_validate($description, "description", "", false, 3); - $save["hostname"] = form_input_validate(trim($hostname), "hostname", "", false, 3); diff --git a/net/cacti/patches/patch-lib_graph_export.php b/net/cacti/patches/patch-lib_graph_export.php deleted file mode 100644 index 71ce4fb9c15..00000000000 --- a/net/cacti/patches/patch-lib_graph_export.php +++ /dev/null @@ -1,28 +0,0 @@ -$NetBSD: patch-lib_graph_export.php,v 1.1 2014/08/23 12:50:25 adam Exp $ - -Fixes for: -CVE-2014-2326 Unspecified HTML Injection Vulnerability -CVE-2014-2328 Unspecified Remote Command Execution Vulnerability -CVE-2014-2708 Unspecified SQL Injection Vulnerability -CVE-2014-2709 Unspecified Remote Command Execution Vulnerability - ---- lib/graph_export.php.orig 2013-08-06 22:31:19.000000000 -0400 -+++ lib/graph_export.php 2014-04-04 21:39:05.000000000 -0400 -@@ -339,7 +339,7 @@ - chdir($stExportDir); - - /* set the initial command structure */ -- $stExecute = 'ncftpput -R -V -r 1 -u '.$aFtpExport['username'].' -p '.$aFtpExport['password']; -+ $stExecute = 'ncftpput -R -V -r 1 -u ' . cacti_escapeshellarg($aFtpExport['username']) . ' -p ' . cacti_escapeshellarg($aFtpExport['password']); - - /* if the user requested passive mode, use it */ - if ($aFtpExport['passive']) { -@@ -347,7 +347,7 @@ - } - - /* setup the port, server, remote directory and all files */ -- $stExecute .= ' -P ' . $aFtpExport['port'] . ' ' . $aFtpExport['server'] . ' ' . $aFtpExport['remotedir'] . "."; -+ $stExecute .= ' -P ' . cacti_escapeshellarg($aFtpExport['port']) . ' ' . cacti_escapeshellarg($aFtpExport['server']) . ' ' . cacti_escapeshellarg($aFtpExport['remotedir']) . "."; - - /* run the command */ - $iExecuteReturns = 0; diff --git a/net/cacti/patches/patch-lib_rrd.php b/net/cacti/patches/patch-lib_rrd.php deleted file mode 100644 index 5b2781bb6b4..00000000000 --- a/net/cacti/patches/patch-lib_rrd.php +++ /dev/null @@ -1,49 +0,0 @@ -$NetBSD: patch-lib_rrd.php,v 1.1 2014/08/23 12:50:25 adam Exp $ - -Fixes for: -CVE-2014-2326 Unspecified HTML Injection Vulnerability -CVE-2014-2328 Unspecified Remote Command Execution Vulnerability -CVE-2014-2708 Unspecified SQL Injection Vulnerability -CVE-2014-2709 Unspecified Remote Command Execution Vulnerability - ---- lib/rrd.php.orig 2013-08-06 22:31:18.000000000 -0400 -+++ lib/rrd.php 2014-04-04 21:39:04.000000000 -0400 -@@ -865,13 +865,13 @@ - /* basic graph options */ - $graph_opts .= - "--imgformat=" . $image_types{$graph["image_format_id"]} . RRD_NL . -- "--start=$graph_start" . RRD_NL . -- "--end=$graph_end" . RRD_NL . -+ "--start=" . cacti_escapeshellarg($graph_start) . RRD_NL . -+ "--end=" . cacti_escapeshellarg($graph_end) . RRD_NL . - "--title=" . cacti_escapeshellarg($graph["title_cache"]) . RRD_NL . - "$rigid" . -- "--base=" . $graph["base_value"] . RRD_NL . -- "--height=$graph_height" . RRD_NL . -- "--width=$graph_width" . RRD_NL . -+ "--base=" . cacti_escapeshellarg($graph["base_value"]) . RRD_NL . -+ "--height=" . cacti_escapeshellarg($graph_height) . RRD_NL . -+ "--width=" . cacti_escapeshellarg($graph_width) . RRD_NL . - "$scale" . - "$unit_value" . - "$unit_exponent_value" . -@@ -1606,8 +1606,8 @@ - - /* basic export options */ - $xport_opts = -- "--start=$xport_start" . RRD_NL . -- "--end=$xport_end" . RRD_NL . -+ "--start=" . cacti_escapeshellarg($xport_start) . RRD_NL . -+ "--end=" . cacti_escapeshellarg($xport_end) . RRD_NL . - "--maxrows=10000" . RRD_NL; - - $xport_defs = ""; -@@ -1997,7 +1997,7 @@ - $stacked_columns["col" . $j] = ($graph_item_types{$xport_item["graph_type_id"]} == "STACK") ? 1 : 0; - $j++; - -- $txt_xport_items .= "XPORT:" . $data_source_name . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ; -+ $txt_xport_items .= "XPORT:" . cacti_escapeshellarg($data_source_name) . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ; - }else{ - $need_rrd_nl = FALSE; - } |