From c67c1a2602f13b519cdf6c49db19039d2b4448ed Mon Sep 17 00:00:00 2001
From: Valentin Hristov <vhr@users.noreply.github.com>
Date: Fri, 28 Dec 2018 12:26:07 +0200
Subject: [PATCH] fix(sec): add SQL and XSS protection of Administration Logs
 page (#7038)

---
 .../configChangelog/viewLogs.ihtml            | 18 +++----
 .../configChangelog/viewLogs.php              | 47 ++++++++++++-------
 2 files changed, 40 insertions(+), 25 deletions(-)

diff --git a/www/include/Administration/configChangelog/viewLogs.ihtml b/www/include/Administration/configChangelog/viewLogs.ihtml
index 0d76a131fef..e8e22628fc6 100644
--- a/www/include/Administration/configChangelog/viewLogs.ihtml
+++ b/www/include/Administration/configChangelog/viewLogs.ihtml
@@ -11,16 +11,16 @@
             <td></td>
         </tr>
         <tr>
-            <td><input type='text' name='searchO' value="{$searchO}" /></td>
-            <td><input type='text' name='searchU' value="{$searchU}" /></td>
+            <td><input type='text' name='searchO' value="{$searchO|escape}" /></td>
+            <td><input type='text' name='searchU' value="{$searchU|escape}" /></td>
             <td><select name='otype'>{$obj_type}</select></td>
-            <td><input type='submit' class="btc bt_success" name='SearchB' value='{$Search}' /></td>
+            <td><input type='submit' class="btc bt_success" name='SearchB' value='{$Search|escape}' /></td>
         </tr>
     </tbody>
 </table>
 <table class="ToolbarTable table">
     <tr class="ToolbarTR">
-        <td style='width:30%;'><input name="p" value="{$p}" type="hidden">&nbsp;</td>
+        <td style='width:30%;'><input name="p" value="{$p|escape}" type="hidden">&nbsp;</td>
         {php}
            include('./include/common/pagination.php');
         {/php}
@@ -47,11 +47,11 @@
         <td class='ListColCenter'>{$elem.type}</td>
         <td class='ListColLeft'>
         {if $elem.host != ''}
-            <a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU}&searchO={$searchO}&otype={$type_id}">{$elem.host} / {$elem.object_name}</a>
+            <a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU|urlencode}&searchO={$searchO|urlencode}&otype={$type_id}">{$elem.host} / {$elem.object_name}</a>
         {elseif $elem.hostgroup != ''}
-            <a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU}&searchO={$searchO}&otype={$type_id}">{$elem.hostgroup} / {$elem.object_name}</a>
+            <a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU|urlencode}&searchO={$searchO|urlencode}&otype={$type_id}">{$elem.hostgroup} / {$elem.object_name}</a>
         {elseif $elem.hosts}
-            <a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU}&searchO={$searchO}&otype={$type_id}">
+            <a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU|urlencode}&searchO={$searchO|urlencode}&otype={$type_id}">
             (
             {assign var=flag value=0}
             {foreach key=key2 item=item2 from=$elem.hosts}
@@ -61,7 +61,7 @@
             {/foreach}
             ) {$elem.object_name}</a>
         {elseif $elem.hostgroups}
-            <a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU}&searchO={$searchO}&otype={$type_id}">
+            <a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU|urlencode}&searchO={$searchO|urlencode}&otype={$type_id}">
             (
             {assign var=flag value=0}
             {foreach key=key2 item=item2 from=$elem.hostgroups}
@@ -71,7 +71,7 @@
             {/foreach}
             ) {$elem.object_name}</a>
         {else}
-            <a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU}&searchO={$searchO}&otype={$type_id}">{$elem.object_name}</a>
+            <a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU|urlencode}&searchO={$searchO|urlencode}&otype={$type_id|urlencode}">{$elem.object_name}</a>
         {/if}
         </td>
         <td class='ListColCenter'>{$elem.author}</td>
diff --git a/www/include/Administration/configChangelog/viewLogs.php b/www/include/Administration/configChangelog/viewLogs.php
index 5df5fec59b3..1592f75fc8d 100644
--- a/www/include/Administration/configChangelog/viewLogs.php
+++ b/www/include/Administration/configChangelog/viewLogs.php
@@ -52,7 +52,7 @@ function searchUserName($user_name)
         if ($str != "") {
             $str .= ", ";
         }
-        $str .= "'" . $row['contact_id'] . "'";
+        $str .= "'" . (int) $row['contact_id'] . "'";
     }
     if ($str == "") {
         $str = "''";
@@ -85,7 +85,9 @@ function searchUserName($user_name)
 $contactList = array();
 $DBRES = $pearDB->query("SELECT contact_id, contact_name, contact_alias FROM contact");
 while ($row = $DBRES->fetchRow()) {
-    $contactList[$row["contact_id"]] = $row["contact_name"] . " (".$row["contact_alias"].")";
+    $contactList[$row["contact_id"]] = CentreonUtils::escapeSecure(
+        $row["contact_name"] . " (" . $row["contact_alias"] . ")"
+    );
 }
 
 if (isset($_POST["searchO"])) {
@@ -188,10 +190,13 @@ function searchUserName($user_name)
         } else {
             $query .= " AND ";
         }
-        $query .= " object_type = '".$objects_type_tab[$otype]."' ";
+        $query .= " object_type = '" . $pearDB->escape($objects_type_tab[$otype]) . "' ";
     }
 }
-$query .= " ORDER BY action_log_date DESC LIMIT ".$num * $limit.", ".$limit;
+
+$query .= " ORDER BY action_log_date DESC LIMIT "
+    . (int) ($num * $limit) . ", " . (int) $limit;
+
 $DBRESULT = $pearDBO->query($query);
 
 /* Get rows number */
@@ -201,7 +206,9 @@ function searchUserName($user_name)
 $elemArray = array();
 while ($res = $DBRESULT->fetchRow()) {
     if ($res['object_id']) {
-        $objectName = str_replace(array('#S#', '#BS#'), array("/", "\\"), $res["object_name"]);
+        $objectName = CentreonUtils::escapeSecure(
+            str_replace(array('#S#', '#BS#'), array("/", "\\"), $res["object_name"])
+        );
 
         if ($res['object_type'] == "service") {
             $tmp = $centreon->CentreonLogAction->getHostId($res['object_id']);
@@ -210,22 +217,30 @@ function searchUserName($user_name)
                     $tmp2 = $centreon->CentreonLogAction->getHostId($res['object_id']);
                     $tabHost = split(',', $tmp2["h"]);
                     if (count($tabHost) == 1) {
-                        $host_name = $centreon->CentreonLogAction->getHostName($tmp2["h"]);
+                        $host_name = CentreonUtils::escapeSecure(
+                            $centreon->CentreonLogAction->getHostName($tmp2["h"])
+                        );
                     } elseif (count($tabHost) > 1) {
                         $hosts = array();
                         foreach ($tabHost as $key => $value) {
-                            $hosts[] = $centreon->CentreonLogAction->getHostName($value);
+                            $hosts[] = CentreonUtils::escapeSecure(
+                                $centreon->CentreonLogAction->getHostName($value)
+                            );
                         }
                     }
                 } elseif (isset($tmp['hg'])) {
                     $tmp2 = $centreon->CentreonLogAction->getHostId($res['object_id']);
                     $tabHost = split(',', $tmp2["hg"]);
                     if (count($tabHost) == 1) {
-                        $hg_name = $centreon->CentreonLogAction->getHostGroupName($tmp2["hg"]);
+                        $hg_name = CentreonUtils::escapeSecure(
+                            $centreon->CentreonLogAction->getHostGroupName($tmp2["hg"])
+                        );
                     } elseif (count($tabHost) > 1) {
                         $hostgroups = array();
                         foreach ($tabHost as $key => $value) {
-                            $hostgroups[] = $centreon->CentreonLogAction->getHostGroupName($value);
+                            $hostgroups[] = CentreonUtils::escapeSecure(
+                                $centreon->CentreonLogAction->getHostGroupName($value)
+                            );
                         }
                     }
                 }
@@ -236,7 +251,7 @@ function searchUserName($user_name)
             if (isset($host_name) && $host_name != '') {
                 $elemArray[] = array(
                     "date" => date('Y/m/d H:i:s', $res['action_log_date']),
-                    "type" => $res['object_type'],
+                    "type" => CentreonUtils::escapeSecure($res['object_type']),
                     "object_name" => $objectName,
                     "action_log_id" => $res['action_log_id'],
                     "object_id" => $res['object_id'],
@@ -249,7 +264,7 @@ function searchUserName($user_name)
             } elseif (isset($hosts) && count($hosts) != 1) {
                 $elemArray[] = array(
                     "date" => date('Y/m/d H:i:s', $res['action_log_date']),
-                    "type" => $res['object_type'],
+                    "type" => CentreonUtils::escapeSecure($res['object_type']),
                     "object_name" => $objectName,
                     "action_log_id" => $res['action_log_id'],
                     "object_id" => $res['object_id'],
@@ -262,7 +277,7 @@ function searchUserName($user_name)
             } elseif (isset($hg_name) && $hg_name != '') {
                 $elemArray[] = array(
                     "date" => date('Y/m/d H:i:s', $res['action_log_date']),
-                    "type" => $res['object_type'],
+                    "type" => CentreonUtils::escapeSecure($res['object_type']),
                     "object_name" => $objectName,
                     "action_log_id" => $res['action_log_id'],
                     "object_id" => $res['object_id'],
@@ -275,7 +290,7 @@ function searchUserName($user_name)
             } elseif (isset($hostgroups) && count($hostgroups) != 1) {
                 $elemArray[] = array(
                     "date" => date('Y/m/d H:i:s', $res['action_log_date']),
-                    "type" => $res['object_type'],
+                    "type" => CentreonUtils::escapeSecure($res['object_type']),
                     "object_name" => $objectName,
                     "action_log_id" => $res['action_log_id'],
                     "object_id" => $res['object_id'],
@@ -316,10 +331,10 @@ function searchUserName($user_name)
 $tpl->assign('search_object_str', _("Object"));
 $tpl->assign('search_user_str', _("User"));
 $tpl->assign('Search', _('Search'));
-$tpl->assign('searchO', htmlentities($searchO));
-$tpl->assign('searchU', htmlentities($searchU));
+$tpl->assign('searchO', CentreonUtils::escapeSecure($searchO));
+$tpl->assign('searchU', CentreonUtils::escapeSecure($searchU));
 $tpl->assign('obj_str', _("Object Type"));
-$tpl->assign('type_id', $otype);
+$tpl->assign('type_id', urlencode($otype));
 
 $tpl->assign('event_type', _("Event Type"));
 $tpl->assign('time', _("Time"));