From efa6b500d78bcbfbf63da5d45f669796aa3f993a Mon Sep 17 00:00:00 2001
From: Mika Havela <mika.havela@gmail.com>
Date: Fri, 3 Jul 2009 13:37:24 +0000
Subject: Validating userinput. Using format.escapespecialcharacters() to
 prevent code injection. Making sure some inputs are purely numerical.

---
 rrdtool-model.lua | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/rrdtool-model.lua b/rrdtool-model.lua
index d6ab2fc..30a65f4 100644
--- a/rrdtool-model.lua
+++ b/rrdtool-model.lua
@@ -111,9 +111,9 @@ function createnewrrd()
 (Default: now - 10s)"})
 		newdb.step = cfe({label="Step",value="",descr="Specifies the base interval in seconds with which data will be fed into the RRD.\
 (Default: 300)"})
-		newdb.ds = cfe({label="Data stores",value="",descr="DS:ds-name:GAUGE | COUNTER | DERIVE | ABSOLUTE:heartbeat:min:max \
+		newdb.ds = cfe({label="Data store(s)",value="",descr="DS:ds-name:GAUGE | COUNTER | DERIVE | ABSOLUTE:heartbeat:min:max \
 DS:ds-name:COMPUTE:rpn-expression",type="longtext"})
-		newdb.rra = cfe({label="Round Robin Archive",value="",descr="RRA:AVERAGE | MIN | MAX | LAST:xff:steps:rows",type="longtext"})
+		newdb.rra = cfe({label="Round Robin Archive(s)",value="",descr="RRA:AVERAGE | MIN | MAX | LAST:xff:steps:rows",type="longtext"})
 	return {value=newdb}
 end
 
@@ -154,6 +154,12 @@ If you specify path, it should be " .. tostring(databases) .."/"
 	end
 		if (posix.stat(path)) then
 			configfile.value.filename.errtxt = "File already exists"
+		elseif not tonumber(configfile.value.start.value) then
+			configfile.value.start.errtxt = "Only numeric values!"
+			return configfile
+		elseif not tonumber(configfile.value.step.value) then
+			configfile.value.step.errtxt = "Only numeric values!"
+			return configfile
 		else
 			local start,step
 			if (#configfile.value.start.value > 0) then
@@ -167,11 +173,11 @@ If you specify path, it should be " .. tostring(databases) .."/"
 				step = ""
 			end
 			local f = io.popen( "/usr/bin/rrdtool create ".. 
-			  tostring(path) .. " " ..
-			  tostring(start) ..
-			  tostring(step) ..
-			  tostring(configfile.value.ds.value) .. " " ..
-			  tostring(configfile.value.rra.value) .. " 2>&1")
+			  format.escapespecialcharacters(path) .. " " ..
+			  format.escapespecialcharacters(start) ..
+			  format.escapespecialcharacters(step) ..
+			  tostring(string.gsub(format.dostounix(format.escapespecialcharacters(configfile.value.ds.value)),"\n", " \\\n")) .. " " ..
+			  tostring(string.gsub(format.dostounix(format.escapespecialcharacters(configfile.value.rra.value)),"\n", " \\\n")) .. " 2>&1")
 			success = f:read("*a") or ""
 			f:close()
 			configfile.errtxt = tostring(success)
-- 
cgit v1.2.3