1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm
index 2b680a7..670673c 100644
--- a/lib/Smokeping.pm
+++ b/lib/Smokeping.pm
@@ -26,6 +26,8 @@ setlogsock('unix')
# make sure we do not end up with , in odd places where one would expect a '.'
# we set the environment variable so that our 'kids' get the benefit too
+my $xssBadRx = qr/[<>%&'";]/;
+
$ENV{LC_NUMERIC}='C';
if (POSIX::setlocale(&POSIX::LC_NUMERIC,"") ne "C") {
die("Resetting LC_NUMERIC failed - try removing LC_ALL from the environment");
@@ -138,8 +140,10 @@ sub cgiurl {
sub hierarchy ($){
my $q = shift;
my $hierarchy = '';
+ my $h = $q->param('hierarchy');
if ($q->param('hierarchy')){
- $hierarchy = 'hierarchy='.$q->param('hierarchy').';';
+ $h =~ s/$xssBadRx/_/g;
+ $hierarchy = 'hierarchy='.$h.';';
};
return $hierarchy;
}
@@ -180,6 +184,7 @@ sub update_dynaddr ($$){
my $address = $ENV{REMOTE_ADDR};
my $targetptr = $cfg->{Targets};
foreach my $step (@target){
+ $step =~ s/$xssBadRx/_/g;
return "Error: Unknown target $step"
unless defined $targetptr->{$step};
$targetptr = $targetptr->{$step};
@@ -976,8 +981,9 @@ sub smokecol ($) {
sub parse_datetime($){
my $in = shift;
- for ($in){
- /^(\d+)$/ && do { my $value = $1; $value = time if $value > 2**32; return $value};
+ for ($in){
+ $in =~ s/$xssBadRx/_/g;
+ /^(\d+)$/ && do { my $value = $1; $value = time if $value > 2**32; return $value};
/^\s*(\d{4})-(\d{1,2})-(\d{1,2})(?:\s+(\d{1,2}):(\d{2})(?::(\d{2}))?)?\s*$/ &&
return POSIX::mktime($6||0,$5||0,$4||0,$3,$2-1,$1-1900,0,0,-1);
/^now$/ && return time;
@@ -1000,7 +1006,7 @@ sub get_detail ($$$$;$){
my $tree = shift;
my $open = shift;
my $mode = shift || $q->param('displaymode') || 's';
-
+ $mode =~ s/$xssBadRx/_/g;
my $phys_tree = $tree;
my $phys_open = $open;
if ($tree->{__tree_link}){
@@ -1398,13 +1404,15 @@ sub get_detail ($$$$;$){
} elsif ($mode eq 's') { # classic mode
$startstr =~ s/\s/%20/g;
$endstr =~ s/\s/%20/g;
+ my $t = $q->param('target');
+ $t =~ s/$xssBadRx/_/g;
for my $slave (@slaves){
my $s = $slave ? "~$slave" : "";
$page .= "<div>";
# $page .= (time-$timer_start)."<br/>";
# $page .= join " ",map {"'$_'"} @task;
$page .= "<br/>";
- $page .= ( qq{<a href="}.cgiurl($q,$cfg)."?".hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}."target=".$q->param('target').$s.'">'
+ $page .= ( qq{<a href="}.cgiurl($q,$cfg)."?".hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}."target=".$t.$s.'">'
. qq{<IMG BORDER="0" SRC="${imghref}${s}_${end}_${start}.png">}."</a>" ); #"
$page .= "</div>";
}
@@ -1548,8 +1556,10 @@ sub display_webpage($$){
my $cfg = shift;
my $q = shift;
my $targ = '';
- if ( $q->param('target') and $q->param('target') !~ /\.\./ and $q->param('target') =~ /(\S+)/){
+ my $t = $q->param('target');
+ if ( $t and $t !~ /\.\./ and $t =~ /(\S+)/){
$targ = $1;
+ $targ =~ s/$xssBadRx/_/g;
}
my ($path,$slave) = split(/~/,$targ);
if ($slave and $slave =~ /(\S+)/){
@@ -1558,8 +1568,9 @@ sub display_webpage($$){
$slave = $1;
}
my $hierarchy = $q->param('hierarchy');
+ $hierarchy =~ s/$xssBadRx/_/g;
die "ERROR: unknown hierarchy $hierarchy\n"
- if $hierarchy and not $cfg->{Presentation}{hierarchies}{$hierarchy};
+ if $hierarchy and not $cfg->{Presentation}{hierarchies}{$hierarchy};
my $open = [ (split /\./,$path||'') ];
my $open_orig = [@$open];
$open_orig->[-1] .= '~'.$slave if $slave;
|
