From 2b6c37b4d6001c82b6f8a6096276fddb490d1211 Mon Sep 17 00:00:00 2001
From: sc979 <34628915+sc979@users.noreply.github.com>
Date: Thu, 16 May 2019 16:54:49 +0200
Subject: [PATCH] fix(csv): convert timestamp to human readable date (#7533)

* enh(BE): securise id from request
* style and PSR2
* enh(csv): homogenize exported date values' format
* enh(BE): filter sanitize strings from REQUEST
* fix(BE): setting a start date if the user didn't
---
 www/include/eventLogs/export/data.php | 113 ++++++++++++++-----------
 www/include/eventLogs/viewLog.php     |  17 ++--
 www/include/eventLogs/xml/data.php    | 115 ++++++++++++++------------
 3 files changed, 135 insertions(+), 110 deletions(-)

diff --git a/www/include/eventLogs/export/data.php b/www/include/eventLogs/export/data.php
index bb462f3e81b..1af657897e6 100644
--- a/www/include/eventLogs/export/data.php
+++ b/www/include/eventLogs/export/data.php
@@ -1,7 +1,7 @@
 <?php
 /*
- * Copyright 2005-2015 Centreon
- * Centreon is developped by : Julien Mathis and Romain Le Merlus under
+ * Copyright 2005-2019 Centreon
+ * Centreon is developed by : Julien Mathis and Romain Le Merlus under
  * GPL Licence 2.0.
  *
  * This program is free software; you can redistribute it and/or modify it under
@@ -35,27 +35,19 @@
 
 ini_set("display_errors", "Off");
 
-/**
- * Include configuration
- */
-require_once realpath(dirname(__FILE__) . "/../../../../config/centreon.config.php");
+// Include configuration
+require_once realpath(__DIR__ . "/../../../../config/centreon.config.php");
 
-/**
- * Include Classes / Methods
- */
+// Include Classes / Methods
 require_once _CENTREON_PATH_ . "www/class/centreonDB.class.php";
 require_once _CENTREON_PATH_ . "www/class/centreonSession.class.php";
 require_once _CENTREON_PATH_ . "www/class/centreon.class.php";
 
-/** *****************************************
- * Connect MySQL DB
- */
+// Connect MySQL DB
 $pearDB = new CentreonDB();
 $pearDBO = new CentreonDB("centstorage");
 
-/**
- * Security check
- */
+// Security check
 CentreonSession::start(1);
 if (!CentreonSession::checkSession(session_id(), $pearDB)) {
     print "Bad Session";
@@ -64,9 +56,7 @@
 
 $centreon = $_SESSION["centreon"];
 
-/**
- * Language informations init
- */
+// Language informations init
 $locale = $centreon->user->get_lang();
 putenv("LANG=$locale");
 setlocale(LC_ALL, $locale);
@@ -74,44 +64,58 @@
 bind_textdomain_codeset("messages", "UTF-8");
 textdomain("messages");
 
-/**
- * save of the XML flow in $flow
- */
+// save of the XML flow in $flow
 $csv_flag = 1; //setting the csv_flag variable to change limit in SQL request of getODSXmlLog.php when CSV exporting
 ob_start();
 require_once _CENTREON_PATH_ . "www/include/eventLogs/xml/data.php";
 $flow = ob_get_contents();
 ob_end_clean();
 
-/**
- * Send Headers
- */
+// Send Headers
 header("Content-Type: application/csv-tab-delimited-table");
 header("Content-disposition: filename=EventLogs.csv");
 header("Cache-Control: cache, must-revalidate");
 header("Pragma: public");
 
-/**
- * Read flow
- */
+// Read flow
 $xml = new SimpleXMLElement($flow);
 if ($engine == "false") {
-    echo _("Begin date") . "; " . _("End date") . ";\n";
-    echo date(_('m/d/Y (H:i:s)'), intval($xml->infos->start))
-        . ";" . date(_('m/d/Y (H:i:s)'), intval($xml->infos->end)) . "\n";
+    echo _("Begin date") . "; "
+        . _("End date") . ";\n";
+    echo date(_('Y/m/d (H:i:s)'), intval($xml->infos->start)) . ";"
+        . date(_('Y/m/d (H:i:s)'), intval($xml->infos->end)) . "\n";
     echo "\n";
 
-    echo _("Type") . ";" . _("Notification") . ";" . _("Alert") . ";" . _("error") . "\n";
-    echo ";" . $xml->infos->notification . ";" . $xml->infos->alert . ";" . $xml->infos->error . "\n";
+    echo _("Type") . ";"
+        . _("Notification") . ";"
+        . _("Alert") . ";"
+        . _("error") . "\n";
+    echo ";"
+        . $xml->infos->notification . ";"
+        . $xml->infos->alert . ";"
+        . $xml->infos->error . "\n";
     echo "\n";
 
-    echo _("Host") . ";" . _("Up") . ";" . _("Down") . ";" . _("Unreachable") . "\n";
-    echo ";" . $xml->infos->up . ";" . $xml->infos->down . ";" . $xml->infos->unreachable . "\n";
+    echo _("Host") . ";"
+        . _("Up") . ";"
+        . _("Down") . ";"
+        . _("Unreachable") . "\n";
+    echo ";"
+        . $xml->infos->up . ";"
+        . $xml->infos->down . ";"
+        . $xml->infos->unreachable . "\n";
     echo "\n";
 
-    echo _("Service") . ";" . _("Ok") . ";" . _("Warning") . ";" . _("Critical") . ";" . _("Unknown") . "\n";
-    echo ";" . $xml->infos->ok . ";" . $xml->infos->warning . ";" .
-        $xml->infos->critical . ";" . $xml->infos->unknown . "\n";
+    echo _("Service") . ";"
+        . _("Ok") . ";"
+        . _("Warning") . ";"
+        . _("Critical") . ";"
+        . _("Unknown") . "\n";
+    echo ";"
+        . $xml->infos->ok . ";"
+        . $xml->infos->warning . ";"
+        . $xml->infos->critical . ";"
+        . $xml->infos->unknown . "\n";
     echo "\n";
 
     echo _("Day") . ";" .
@@ -126,8 +130,8 @@
         _("Contact") . ";" .
         _("Cmd") . "\n";
     foreach ($xml->line as $line) {
-        echo $line->date . ";" .
-            $line->time . ";" .
+        echo date(_('Y/m/d'), (int)$line->date) . ";" .
+            date(_('H:i:s'), (int)$line->time) . ";" .
             $line->host_name . ";" .
             $line->address . ";" .
             $line->service_description . ";" .
@@ -139,16 +143,31 @@
             $line->contact_cmd . "\n";
     }
 } else {
-    echo _("Begin date") . "; " . _("End date") . ";\n";
-    echo date(_('m/d/Y (H:i:s)'), intval($xml->infos->start)) . ";" .
-        date(_('m/d/Y (H:i:s)'), intval($xml->infos->end)) . "\n";
+    echo _("Begin date") . "; "
+        . _("End date") . ";\n";
+    echo date(_('Y/m/d (H:i:s)'), (int)$xml->infos->start) . ";"
+        . date(_('Y/m/d (H:i:s)'), (int)$xml->infos->end) . "\n";
     echo "\n";
-    echo _("Type") . ";" . _("Notification") . ";" . _("Alert") . ";" . _("error") . "\n";
-    echo ";" . $xml->infos->notification . ";" . $xml->infos->alert . ";" . $xml->infos->error . "\n";
+
+    echo _("Type") . ";"
+        . _("Notification") . ";"
+        . _("Alert") . ";"
+        . _("error") . "\n";
+    echo ";"
+        . $xml->infos->notification . ";"
+        . $xml->infos->alert . ";"
+        . $xml->infos->error . "\n";
     echo "\n";
-    echo _("Day") . ";" . _("Time") . ";" . _("Poller") . ";" . _("Output") . ";" . "\n";
+
+    echo _("Day") . ";"
+        . _("Time") . ";"
+        . _("Poller") . ";"
+        . _("Output") . "; " . "\n";
     foreach ($xml->line as $line) {
-        echo "\"" . $line->date . "\";\"" . $line->time . "\";\"" . $line->poller .
-            "\";\"" . $line->output . "\";" . "\n";
+        echo "\"" .
+            date(_('Y/m/d'), (int)$line->date) . "\";\"" .
+            date(_('H:i:s'), (int)$line->time) . "\";\"" .
+            $line->poller . "\";\"" .
+            $line->output . "\";" . "\n";
     }
 }
diff --git a/www/include/eventLogs/viewLog.php b/www/include/eventLogs/viewLog.php
index 94967f672de..e0ad0595116 100644
--- a/www/include/eventLogs/viewLog.php
+++ b/www/include/eventLogs/viewLog.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright 2005-2018 Centreon
+ * Copyright 2005-2019 Centreon
  * Centreon is developed by : Julien Mathis and Romain Le Merlus under
  * GPL Licence 2.0.
  *
@@ -83,15 +83,10 @@
     $openid = $_GET["openid"];
 }
 
-if (isset($_GET["id"])) {
-    $id = $_GET["id"];
-} else {
-    $id = 1;
-}
-
-if (isset($_POST["id"])) {
-    $id = $_POST["id"];
-}
+$id = filter_var(
+    $_GET['id'] ?? $_POST['id'] ?? 1,
+    FILTER_VALIDATE_INT
+);
 
 $serviceGrpArray = array();
 $pollerArray = array();
@@ -399,7 +394,7 @@
 <script>
 
     /*
-     * Selecting choosen Host, Service, HG and/or SG
+     * Selecting chosen Host, Service, HG and/or SG
      */
     function apply_period() {
         var openid = getArgsForHost();
diff --git a/www/include/eventLogs/xml/data.php b/www/include/eventLogs/xml/data.php
index a90909a836d..c5ee089c8be 100644
--- a/www/include/eventLogs/xml/data.php
+++ b/www/include/eventLogs/xml/data.php
@@ -33,26 +33,19 @@
  *
  */
 
-/** ****************************
- * Include configurations files
- */
+// Include configurations files
 include_once "../../../../config/centreon.config.php";
 
-/*
- * Require Classes
- */
+// Require Classes
 require_once _CENTREON_PATH_ . "www/class/centreonSession.class.php";
 require_once _CENTREON_PATH_ . "www/class/centreon.class.php";
 require_once realpath(__DIR__ . "/../../../../bootstrap.php");
 
-/**
- * Connect to DB
- */
-
+// Connect to DB
 $pearDB = $dependencyInjector['configuration_db'];
 $pearDBO = $dependencyInjector['realtime_db'];
 
-/* Check Session */
+// Check Session
 CentreonSession::start();
 if (!CentreonSession::checkSession(session_id(), $pearDB)) {
     print "Bad Session";
@@ -82,9 +75,7 @@
 define("TYPE_SOFT", 0);
 define("TYPE_HARD", 1);
 
-/**
- * Include Access Class
- */
+// Include Access Class
 include_once _CENTREON_PATH_ . "www/class/centreonACL.class.php";
 include_once _CENTREON_PATH_ . "www/class/centreonXML.class.php";
 include_once _CENTREON_PATH_ . "www/class/centreonGMT.class.php";
@@ -140,19 +131,21 @@
     }
 }
 
-/*
- * Start XML document root
- */
+// Start XML document root
 $buffer = new CentreonXML();
 $buffer->startElement("root");
 
 /*
  * Security check
  */
-(isset($inputs["lang"])) ?
-    $lang_ = htmlentities($inputs["lang"], ENT_QUOTES, "UTF-8") : $lang_ = "-1";
-(isset($inputs["id"])) ?
-    $openid = htmlentities($inputs["id"], ENT_QUOTES, "UTF-8") : $openid = "-1";
+$lang_ = filter_var(
+    $inputs["lang"] ?? "-1",
+    FILTER_SANITIZE_STRING
+);
+$openid = filter_var(
+    $inputs["id"] ?? "-1",
+    FILTER_SANITIZE_STRING
+);
 $sid = session_id();
 (isset($sid)) ? $sid = $sid : $sid = "-1";
 
@@ -196,7 +189,6 @@
 $alert = isset($inputs["alert"]) ? htmlentities($inputs["alert"]) : "true";
 $oh = isset($inputs["oh"]) ? htmlentities($inputs["oh"]) : "false";
 $error = isset($inputs["error"]) ? htmlentities($inputs["error"]) : "false";
-
 $output = isset($inputs["output"]) ? urldecode($inputs["output"]) : $output = "";
 $search_H = isset($inputs["search_H"]) ? htmlentities($inputs["search_H"]) : "VIDE";
 $search_S = isset($inputs["search_S"]) ? htmlentities($inputs["search_S"]) : "VIDE";
@@ -239,9 +231,11 @@
     $end = mktime($matchesT[1], $matchesT[2], "0", $matchesD[1], $matchesD[2], $matchesD[3]);
 }
 
+// setting the startDate/Time using the user's chosen period
+// and checking if the start date/time was set by the user, to avoid to display/export the whole data since 1/1/1970
 $period = 86400;
-if ($auto_period > 0) {
-    $period = $auto_period;
+if ($auto_period > 0 || $start === 0) {
+    $period = (int)$auto_period;
     $start = time() - ($period);
     $end = time();
 }
@@ -255,26 +249,44 @@
     STATUS_UNKNOWN => 'service_unknown',
     STATUS_PENDING => 'pending'
 );
-$tab_color_host = array(STATUS_UP => 'host_up', STATUS_DOWN => 'host_down', STATUS_UNREACHABLE => 'host_unreachable');
+$tab_color_host = array(
+    STATUS_UP => 'host_up',
+    STATUS_DOWN => 'host_down',
+    STATUS_UNREACHABLE => 'host_unreachable'
+);
 
-$tab_type = array("1" => "HARD", "0" => "SOFT");
-$tab_class = array("0" => "list_one", "1" => "list_two");
-$tab_status_host = array("0" => "UP", "1" => "DOWN", "2" => "UNREACHABLE");
-$tab_status_service = array("0" => "OK", "1" => "WARNING", "2" => "CRITICAL", "3" => "UNKNOWN");
+$tab_type = array(
+    "1" => "HARD",
+    "0" => "SOFT"
+);
+$tab_class = array(
+    "0" => "list_one",
+    "1" => "list_two"
+);
+$tab_status_host = array(
+    "0" => "UP",
+    "1" => "DOWN",
+    "2" => "UNREACHABLE"
+);
+$tab_status_service = array(
+    "0" => "OK",
+    "1" => "WARNING",
+    "2" => "CRITICAL",
+    "3" => "UNKNOWN"
+);
 
 /*
  * Create IP Cache
  */
 if ($export) {
     $HostCache = array();
-    $DBRESULT = $pearDB->query("SELECT host_name, host_address FROM host WHERE host_register = '1'");
-    while ($h = $DBRESULT->fetchRow()) {
+    $dbResult = $pearDB->query("SELECT host_name, host_address FROM host WHERE host_register = '1'");
+    while ($h = $dbResult->fetch()) {
         $HostCache[$h["host_name"]] = $h["host_address"];
     }
-    $DBRESULT->closeCursor();
+    $dbResult->closeCursor();
 }
 
-
 $logs = array();
 
 /*
@@ -354,7 +366,7 @@
 
 $innerJoinEngineLog = "";
 if ($engine == "true" && isset($openid) && $openid != "") {
-    $innerJoinEngineLog = " inner join instances i on i.name = logs.instance_name AND i.instance_id IN (" .
+    $innerJoinEngineLog = " INNER JOIN instances i ON i.name = logs.instance_name AND i.instance_id IN (" .
         $pearDBO->escape($openid) . ") ";
 }
 
@@ -609,14 +621,14 @@
     if ($export !== "1") {
         $limitReq = " LIMIT " . $num * $limit . ", " . $limit;
     }
-    $DBRESULT = $pearDBO->query($req . $limitReq);
+    $dbResult = $pearDBO->query($req . $limitReq);
     $rows = $pearDBO->query("SELECT FOUND_ROWS()")->fetchColumn();
 
-    if (!($DBRESULT->rowCount()) && ($num != 0)) {
+    if (!($dbResult->rowCount()) && ($num != 0)) {
         if ($export !== "1") {
             $limitReq2 = " LIMIT " . (floor($rows / $limit) * $limit) . ", " . $limit;
         }
-        $DBRESULT = $pearDBO->query($req . $limitReq2);
+        $dbResult = $pearDBO->query($req . $limitReq2);
     }
 
     $buffer->startElement("selectLimit");
@@ -632,18 +644,18 @@
      */
 
     $pageArr = array();
-    $istart = 0;
+    $iStart = 0;
 
-    for ($i = 5, $istart = $num; $istart > 0 && $i > 0; $i--) {
-        $istart--;
+    for ($i = 5, $iStart = $num; $iStart > 0 && $i > 0; $i--) {
+        $iStart--;
     }
 
-    for ($i2 = 0, $iend = $num; ($iend < ($rows / $limit - 1)) && ($i2 < (5 + $i)); $i2++) {
-        $iend++;
+    for ($i2 = 0, $iEnd = $num; ($iEnd < ($rows / $limit - 1)) && ($i2 < (5 + $i)); $i2++) {
+        $iEnd++;
     }
 
-    for ($i = $istart; $i <= $iend; $i++) {
-        $pageArr[$i] = array("url_page" => "&num=$i&limit=" . $limit, "label_page" => ($i + 1), "num" => $i);
+    for ($i = $iStart; $i <= $iEnd; $i++) {
+        $pageArr[$i] = array("url_page" => "&num=" . $i . "&limit=" . $limit, "label_page" => ($i + 1), "num" => $i);
     }
 
     if ($i > 1) {
@@ -719,7 +731,7 @@
      * Full Request
      */
     $cpts = 0;
-    while ($log = $DBRESULT->fetchRow()) {
+    while ($log = $dbResult->fetch()) {
         $buffer->startElement("line");
         $buffer->writeElement("msg_type", $log["msg_type"]);
         $displayType = $log['type'];
@@ -736,9 +748,8 @@
          */
         $color = '';
         if (isset($log["status"])) {
-            if (isset($tab_color_service[$log["status"]]) &&
-                isset($log["service_description"]) &&
-                $log["service_description"] != ""
+            if (isset($tab_color_service[$log["status"]])
+                && !empty($log["service_description"])
             ) {
                 $color = $tab_color_service[$log["status"]];
             } elseif (isset($tab_color_host[$log["status"]])) {
@@ -747,7 +758,7 @@
         }
 
         /*
-         * Variable initialisation to color "INITIAL STATE" on envent logs
+         * Variable initialisation to color "INITIAL STATE" on event logs
          */
         if ($log["output"] == "" && $log["status"] != "") {
             $log["output"] = "INITIAL STATE";
@@ -766,9 +777,9 @@
 
         if (!strncmp($log["host_name"], "_Module_Meta", strlen("_Module_Meta"))) {
             preg_match('/meta_([0-9]*)/', $log["service_description"], $matches);
-            $DBRESULT2 = $pearDB->query("SELECT meta_name FROM meta_service WHERE meta_id = '" . $matches[1] . "'");
-            $meta = $DBRESULT2->fetchRow();
-            $DBRESULT2->closeCursor();
+            $dbResult2 = $pearDB->query("SELECT meta_name FROM meta_service WHERE meta_id = '" . $matches[1] . "'");
+            $meta = $dbResult2->fetch();
+            $dbResult2->closeCursor();
             $buffer->writeElement("host_name", "Meta", false);
             $buffer->writeElement("real_service_name", $log["service_description"], false);
             $buffer->writeElement("service_description", $meta["meta_name"], false);