Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Commit

Permalink
fix: rce vulnerability when using testing feature
Browse files Browse the repository at this point in the history
  • Loading branch information
@sc979
sc979 committed Feb 26, 2019
1 parent de1f270 commit aa399be
Showing 1 changed file with 12 additions and 9 deletions.
21 changes: 12 additions & 9 deletions www/include/configuration/configObject/command/minPlayCommand.php
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<?php
/*
* Copyright 2005-2015 Centreon
* Centreon is developped by : Julien Mathis and Romain Le Merlus under
* Copyright 2005-2019 Centreon
* Centreon is developed by : Julien Mathis and Romain Le Merlus under
* GPL Licence 2.0.
*
* This program is free software; you can redistribute it and/or modify it under
Expand Down Expand Up @@ -54,9 +54,11 @@

/* Get resources in DB and replace by the value */
while (preg_match("/@DOLLAR@USER([0-9]+)@DOLLAR@/", $resource_def, $matches) and $error_msg == "") {
$query = "SELECT resource_line FROM cfg_resource WHERE resource_name = '\$USER" . $matches[1] . "\$' LIMIT 1";
$DBRESULT = $pearDB->query($query);
$resource = $DBRESULT->fetchRow();
$query = "SELECT resource_line FROM cfg_resource WHERE resource_name = :matches LIMIT 1";
$DBRESULT = $pearDB->prepare($query);
$DBRESULT->bindValue(':matches', "\$USER" . $matches[1] . "\$" , PDO::PARAM_STR);
$DBRESULT->execute();
$resource = $DBRESULT->fetch();
if (!isset($resource["resource_line"])) {
$error_msg .= "\$USER" . $matches[1] . "\$";
} else {
Expand Down Expand Up @@ -84,10 +86,11 @@
$resource_def = str_replace("@DOLLAR@ARG" . $match_id . "@DOLLAR@", $args[$match_id], $resource_def);
$resource_def = str_replace('$', '@DOLLAR@', $resource_def);
if (preg_match("/@DOLLAR@USER([0-9]+)@DOLLAR@/", $resource_def, $matches)) {
$query = "SELECT resource_line FROM cfg_resource " .
"WHERE resource_name = '\$USER" . $matches[1] . "\$' LIMIT 1";
$DBRESULT = $pearDB->query($query);
$resource = $DBRESULT->fetchRow();
$query = "SELECT resource_line FROM cfg_resource WHERE resource_name = :matches LIMIT 1";
$DBRESULT = $pearDB->prepare($query);
$DBRESULT->bindValue(':matches', "\$USER" . $matches[1] . "\$", PDO::PARAM_STR);
$DBRESULT->execute();
$resource = $DBRESULT->fetch();
if (!isset($resource["resource_line"])) {
$error_msg .= "\$USER" . $match_id . "\$";
} else {
Expand Down

0 comments on commit aa399be

Please sign in to comment.