fix(DB): protect xml against injection in services by hg page

centreon · Mar 12, 2019 · 79f9244 · 79f9244
1 parent 1368927
commit 79f9244
Showing 1 changed file with 56 additions and 13 deletions.
diff --git a/www/include/monitoring/status/ServicesHostGroups/xml/serviceGridByHGXML.php b/www/include/monitoring/status/ServicesHostGroups/xml/serviceGridByHGXML.php
@@ -33,7 +33,7 @@
  *
  */
 
-require_once realpath(dirname(__FILE__) . "/../../../../../../config/centreon.config.php");
+require_once realpath(__DIR__ . "/../../../../../../config/centreon.config.php");
 require_once realpath(__DIR__ . "/../../../../../../bootstrap.php");
 
 include_once _CENTREON_PATH_ . "www/class/centreonUtils.class.php";
@@ -48,7 +48,6 @@
 $obj = new CentreonXMLBGRequest($dependencyInjector, session_id(), 1, 1, 0, 1);
 $svcObj = new CentreonService($obj->DB);
 
-
 if (isset($obj->session_id) && CentreonSession::checkSession($obj->session_id, $obj->DB)) {
     ;
 } else {
@@ -79,6 +78,7 @@
 $order = $obj->checkArgument("order", $_GET, "ASC");
 $dateFormat = $obj->checkArgument("date_time_format_status", $_GET, "Y/m/d H:i:s");
 $grouplistStr = $obj->access->getAccessGroupsString();
+$queryValues = array();
 
 //Get Host status
 $rq1 = "SELECT SQL_CALC_FOUND_ROWS DISTINCT hg.name AS alias, h.host_id id, h.name AS host_name, hgm.hostgroup_id, " .
@@ -97,7 +97,10 @@
         $obj->access->queryBuilder("AND", "hg.name", $obj->access->getHostGroupsString("NAME"));
 }
 if ($instance != -1) {
-    $rq1 .= " AND h.instance_id = " . $instance;
+    $rq1 .= " AND h.instance_id = :instance";
+    $queryValues[':instance'] = [
+        PDO::PARAM_INT => (int) $instance
+    ];
 }
 if ($o == "svcgrid_pb" || $o == "svcOVHG_pb") {
     $rq1 .= " AND h.host_id IN (" .
@@ -115,21 +118,44 @@
         "WHERE s.acknowledged = 1 AND s.state != 0 AND s.state != 4 AND s.enabled = 1)";
 }
 if ($search != "") {
-    $rq1 .= " AND h.name LIKE '%" . $search . "%' ";
+    $rq1 .= " AND h.name LIKE :search";
+    $queryValues[':search'] = [
+        PDO::PARAM_STR => "%" . $search . "%"
+    ];
 }
 if ($hostgroups) {
-    $rq1 .= " AND hg.hostgroup_id IN (" . $hostgroups . ")";
+    $rq1 .= " AND hg.hostgroup_id IN :hostgroups";
+    $queryValues[':hostgroups'] = [
+        PDO::PARAM_STR => "(" . $hostgroups . ")"
+    ];
 }
-$rq1 .= " AND h.enabled = 1 ";
-$rq1 .= " ORDER BY $sort_type, hg.name $order, host_name ASC ";
-$rq1 .= " LIMIT " . ($num * $limit) . "," . $limit;
+$rq1 .= " AND h.enabled = 1 ORDER BY :sort_type :order, host_name ASC LIMIT :numLimit, :limit";
+$queryValues[':sort_type'] = [
+    PDO::PARAM_STR => $sort_type
+];
+$queryValues[':order'] = [
+    PDO::PARAM_STR => $order
+];
+$queryValues[':numLimit'] = [
+    PDO::PARAM_INT => (int) ($num * $limit)
+];
+$queryValues[':limit'] = [
+    PDO::PARAM_INT => (int) $limit
+];
 
 $tabH = array();
 $tabHG = array();
 $tab_finalH = array();
 
-$DBRESULT = $obj->DBC->query($rq1);
-$numRows = $obj->DBC->rowCount();
+$DBRESULT = $obj->DBC->prepare($rq1);
+foreach ($queryValues as $bindId => $bindData) {
+    foreach ($bindData as $bindType => $bindValue) {
+        $DBRESULT->bindValue($bindId, $bindValue, $bindType);
+    }
+}
+$DBRESULT->execute();
+
+$numRows = $DBRESULT->rowCount();
 while ($ndo = $DBRESULT->fetch()) {
     if (!isset($tab_finalH[$ndo["alias"]])) {
         $tab_finalH[$ndo["alias"]] = array($ndo["host_name"] => array());
@@ -142,6 +168,9 @@
 }
 $DBRESULT->closeCursor();
 
+// Resetting $queryValues
+$queryValues = array();
+
 // Get Services status
 $rq1 = "SELECT DISTINCT s.service_id, h.name as host_name, s.description, s.state svcs, " .
     "(CASE s.state WHEN 0 THEN 3 WHEN 2 THEN 0 WHEN 3 THEN 2 ELSE s.state END) AS tri " .
@@ -166,16 +195,30 @@
     $rq1 .= " AND s.acknowledged = 0";
 }
 if ($search != "") {
-    $rq1 .= " AND h.name LIKE '%" . $search . "%'";
+    $rq1 .= " AND h.name LIKE :search";
+    $queryValues[":search"] = [
+        PDO::PARAM_STR => "%" . $search . "%"
+    ];
 }
 if ($instance != -1) {
-    $rq1 .= " AND h.instance_id = " . $instance;
+    $rq1 .= " AND h.instance_id = instance ";
+    $queryValues[":instance"] = [
+        PDO::PARAM_INT => $instance
+    ];
 }
 $rq1 .= " ORDER BY tri ASC, s.description ASC";
 
 $tabService = array();
 $tabHost = array();
-$DBRESULT = $obj->DBC->query($rq1);
+
+$DBRESULT = $obj->DBC->prepare($rq1);
+foreach ($queryValues as $bindId => $bindData) {
+    foreach ($bindData as $bindType => $bindValue) {
+        $DBRESULT->bindValue($bindId, $bindValue, $bindType);
+    }
+}
+$DBRESULT->execute();
+
 while ($ndo = $DBRESULT->fetch()) {
     if (!isset($tabService[$ndo["host_name"]])) {
         $tabService[$ndo["host_name"]] = array();