Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

fix(security) getObjectForSelect2 2.8.x #5918

Merged
merged 4 commits into from
Nov 27, 2017
Merged

fix(security) getObjectForSelect2 2.8.x #5918

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
175189b
secure getObjectForSelect2
loiclau Nov 23, 2017
f80089d
fix db
loiclau Nov 23, 2017
911b81c
fix service list
loiclau Nov 23, 2017
8320ac2
fix db
loiclau Nov 23, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion www/api/class/centreon_configuration_objects.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,12 @@ protected function retrieveExternalObjectDatas($externalObject, $values)
$options = $externalObject['objectOptions'];
}

$tmpValues = $externalObjectInstance->getObjectForSelect2($values, $options);
try {
$tmpValues = $externalObjectInstance->getObjectForSelect2($values, $options);
} catch (\Exception $e) {
print $e->getMessage();
}

} else {
$explodedValues = '';

Expand Down
7 changes: 5 additions & 2 deletions www/api/class/centreon_realtime_base.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,8 +141,11 @@ protected function retrieveExternalObjectDatas($externalObject, $values)
if (isset($externalObject['objectOptions'])) {
$options = $externalObject['objectOptions'];
}

$tmpValues = $externalObjectInstance->getObjectForSelect2($values, $options);
try {
$tmpValues = $externalObjectInstance->getObjectForSelect2($values, $options);
} catch (\Exception $e) {
print $e->getMessage();
}
} else {
$explodedValues = '';

Expand Down
33 changes: 23 additions & 10 deletions www/class/centreonAclGroup.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,28 +53,41 @@ public function __construct($db)
{
$this->db = $db;
}

/**
*
* @param type $values
* @return type
* @param array $values
* @param array $options
* @return array
* @throws Exception
*/
public function getObjectForSelect2($values = array(), $options = array())
{
$items = array();

$explodedValues = implode(',', $values);
if (empty($explodedValues)) {
$explodedValues = "''";
$explodedValues = '';
$queryValues = array();
if (!empty($values)) {
foreach ($values as $k => $v) {
$explodedValues .= '?,';
$queryValues[] = (int)$v;
}
$explodedValues = rtrim($explodedValues, ',');
} else {
$explodedValues .= '""';
}

# get list of selected timeperiods
$query = "SELECT acl_group_id, acl_group_name "
. "FROM acl_groups "
. "WHERE acl_group_id IN (" . $explodedValues . ") "
. "ORDER BY acl_group_name ";

$resRetrieval = $this->db->query($query);

$stmt = $this->db->prepare($query);
$resRetrieval = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($resRetrieval)) {
throw new Exception('Bad acl group query params');
}

while ($row = $resRetrieval->fetchRow()) {
$items[] = array(
'id' => $row['acl_group_id'],
Expand Down
4 changes: 4 additions & 0 deletions www/class/centreonCommand.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,10 @@ public function getObjectForSelect2($values = array(), $options = array())
$stmt = $this->db->prepare($query);
$resRetrieval = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($resRetrieval)) {
throw new Exception('Bad command query params');
}

while ($row = $resRetrieval->fetchRow()) {
$items[] = array(
'id' => $row['command_id'],
Expand Down
23 changes: 17 additions & 6 deletions www/class/centreonConnector.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -541,19 +541,30 @@ public static function getDefaultValuesParameters($field)
public function getObjectForSelect2($values = array(), $options = array())
{
$items = array();

$explodedValues = implode(',', $values);
if (empty($explodedValues)) {
$explodedValues = "''";
$explodedValues = '';
$queryValues = array();
if (!empty($values)) {
foreach ($values as $k => $v) {
$explodedValues .= '?,';
$queryValues[] = (int)$v;
}
$explodedValues = rtrim($explodedValues, ',');
} else {
$explodedValues .= '""';
}

# get list of selected connectors
$query = "SELECT id, name "
. "FROM connector "
. "WHERE id IN (" . $explodedValues . ") "
. "ORDER BY name ";

$resRetrieval = $this->db->query($query);
$stmt = $this->db->prepare($query);
$resRetrieval = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($resRetrieval)) {
throw new Exception('Bad connector query params');
}

while ($row = $resRetrieval->fetchRow()) {
$items[] = array(
'id' => $row['id'],
Expand Down
21 changes: 17 additions & 4 deletions www/class/centreonContact.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,9 +207,16 @@ public function getObjectForSelect2($values = array(), $options = array())
);
}

$explodedValues = implode(',', $values);
if (empty($explodedValues)) {
$explodedValues = "''";
$explodedValues = '';
$queryValues = array();
if (!empty($values)) {
foreach ($values as $k => $v) {
$explodedValues .= '?,';
$queryValues[] = (int)$v;
}
$explodedValues = rtrim($explodedValues, ',');
} else {
$explodedValues .= '""';
}

# get list of selected contacts
Expand All @@ -218,7 +225,13 @@ public function getObjectForSelect2($values = array(), $options = array())
. "WHERE contact_id IN (" . $explodedValues. ") "
. "ORDER BY contact_name ";

$resRetrieval = $this->db->query($query);
$stmt = $this->db->prepare($query);
$resRetrieval = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($resRetrieval)) {
throw new Exception('Bad contact query params');
}

while ($row = $resRetrieval->fetchRow()) {
# hide unauthorized contacts
$hide = false;
Expand Down
21 changes: 17 additions & 4 deletions www/class/centreonContactgroup.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -422,9 +422,16 @@ public function getObjectForSelect2($values = array(), $options = array())
}
}

$explodedValues = implode(',', $aElement);
if (empty($explodedValues)) {
$explodedValues = "''";
$explodedValues = '';
$queryValues = array();
if (!empty($aElement)) {
foreach ($aElement as $k => $v) {
$explodedValues .= '?,';
$queryValues[] = (int)$v;
}
$explodedValues = rtrim($explodedValues, ',');
} else {
$explodedValues .= '""';
}

# get list of selected contactgroups
Expand All @@ -433,7 +440,13 @@ public function getObjectForSelect2($values = array(), $options = array())
. "WHERE cg.cg_id IN (" . $explodedValues . ") "
. "ORDER BY cg.cg_name ";

$resRetrieval = $this->db->query($query);
$stmt = $this->db->prepare($query);
$resRetrieval = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($resRetrieval)) {
throw new Exception('Bad contact group query params');
}

while ($row = $resRetrieval->fetchRow()) {
if (isset($row['cg_ldap_dn']) && $row['cg_ldap_dn'] != "") {
$cgName = $this->formatLdapContactgroupName($row['cg_name'], $row['ar_name']);
Expand Down
20 changes: 16 additions & 4 deletions www/class/centreonEscalation.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,18 +125,30 @@ public function getObjectForSelect2($values = array(), $options = array())
$hcAcl = $centreon->user->access->getHostCategories();
}

$explodedValues = implode(',', $values);
if (empty($explodedValues)) {
$explodedValues = "''";
$explodedValues = '';
$queryValues = array();
if (!empty($values)) {
foreach ($values as $k => $v) {
$explodedValues .= '?,';
$queryValues[] = (int)$v;
}
$explodedValues = rtrim($explodedValues, ',');
} else {
$explodedValues .= '""';
}

# get list of selected host categories
$query = "SELECT hc_id, hc_name "
. "FROM hostcategories "
. "WHERE hc_id IN (" . $explodedValues . ") "
. "ORDER BY hc_name ";
$stmt = $this->db->prepare($query);
$resRetrieval = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($resRetrieval)) {
throw new Exception('Bad escalation query params');
}

$resRetrieval = $this->db->query($query);
while ($row = $resRetrieval->fetchRow()) {
# hide unauthorized host categories
$hide = false;
Expand Down
23 changes: 17 additions & 6 deletions www/class/centreonGMT.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -470,19 +470,30 @@ public function getList()
public function getObjectForSelect2($values = array(), $options = array())
{
$items = array();

$explodedValues = implode(',', $values);
if (empty($explodedValues)) {
$explodedValues = "''";
$explodedValues = '';
$queryValues = array();
if (!empty($values)) {
foreach ($values as $k => $v) {
$explodedValues .= '?,';
$queryValues[] = (int)$v;
}
$explodedValues = rtrim($explodedValues, ',');
} else {
$explodedValues .= '""';
}

# get list of selected timezones
$query = "SELECT timezone_id, timezone_name "
. "FROM timezone "
. "WHERE timezone_id IN (" . $explodedValues . ") "
. "ORDER BY timezone_name ";

$resRetrieval = $this->db->query($query);
$stmt = $this->db->prepare($query);
$resRetrieval = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($resRetrieval)) {
throw new Exception('Bad timezone query params');
}

while ($row = $resRetrieval->fetchRow()) {
$items[] = array(
'id' => $row['timezone_id'],
Expand Down
29 changes: 21 additions & 8 deletions www/class/centreonGraphCurve.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,26 +82,39 @@ public static function getDefaultValuesParameters($field)
}

/**
*
* @param array $values
* @param array $options
* @return array
* @throws Exception
*/
public function getObjectForSelect2($values = array(), $options = array())
{
$aInstanceList = array();

$selectedGraphCurves = "";
if (count($values)) {
$selectedGraphCurves = "WHERE compo_id IN (" . implode(',', $values) . ") ";
$explodedValues = '';
$queryValues = array();
if (!empty($values)) {
foreach ($values as $k => $v) {
$explodedValues .= '?,';
$queryValues[] = (int)$v;
}
$explodedValues = rtrim($explodedValues, ',');
$selectedGraphCurves = "WHERE compo_id IN (" . $explodedValues . ") ";
} else {
$selectedGraphCurves = '""';
}

$queryGraphCurve = "SELECT DISTINCT compo_id as id, name"
. " FROM giv_components_template "
. $selectedGraphCurves
. " ORDER BY name";

$DBRESULT = $this->db->query($queryGraphCurve);
while ($data = $DBRESULT->fetchRow()) {
$stmt = $this->db->prepare($queryGraphCurve);
$dbResult = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($dbResult)) {
throw new Exception('Bad graph curve query params');
}

while ($data = $dbResult->fetchRow()) {
$graphCurveList[] = array(
'id' => $data['id'],
'text' => $data['name']
Expand Down
24 changes: 19 additions & 5 deletions www/class/centreonGraphTemplate.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,15 +78,29 @@ public function __construct($db)
public function getObjectForSelect2($values = array(), $options = array(), $register = '1')
{
$items = array();

$explodedValues = implode(',', $values);
if (empty($explodedValues)) {
$explodedValues = "''";

$explodedValues = '';
$queryValues = array();
if (!empty($values)) {
foreach ($values as $k => $v) {
$explodedValues .= '?,';
$queryValues[] = (int)$v;
}
$explodedValues = rtrim($explodedValues, ',');
} else {
$explodedValues .= '""';
}

$query = "SELECT graph_id, name FROM giv_graphs_template
WHERE graph_id IN (" . $explodedValues . ") ORDER BY name";
$resRetrieval = $this->db->query($query);

$stmt = $this->db->prepare($query);
$resRetrieval = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($resRetrieval)) {
throw new Exception('Bad graph template query params');
}

while ($row = $resRetrieval->fetchRow()) {
$items[] = array(
'id' => $row['graph_id'],
Expand Down
4 changes: 4 additions & 0 deletions www/class/centreonHost.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2259,6 +2259,10 @@ public function getObjectForSelect2($values = array(), $options = array(), $regi
$stmt = $this->db->prepare($query);
$resRetrieval = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($resRetrieval)) {
throw new Exception('Bad host query params');
}

while ($row = $resRetrieval->fetchRow()) {
# hide unauthorized hosts
$hide = false;
Expand Down
21 changes: 17 additions & 4 deletions www/class/centreonHostcategories.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,9 +96,16 @@ public function getObjectForSelect2($values = array(), $options = array())
$hcAcl = $centreon->user->access->getHostCategories();
}

$explodedValues = implode(',', $values);
if (empty($explodedValues)) {
$explodedValues = "''";
$explodedValues = '';
$queryValues = array();
if (!empty($values)) {
foreach ($values as $k => $v) {
$explodedValues .= '?,';
$queryValues[] = (int)$v;
}
$explodedValues = rtrim($explodedValues, ',');
} else {
$explodedValues .= '""';
}

# get list of selected host categories
Expand All @@ -107,7 +114,13 @@ public function getObjectForSelect2($values = array(), $options = array())
. "WHERE hc_id IN (" . $explodedValues . ") "
. "ORDER BY hc_name ";

$resRetrieval = $this->db->query($query);
$stmt = $this->db->prepare($query);
$resRetrieval = $this->db->execute($stmt, $queryValues);

if (PEAR::isError($resRetrieval)) {
throw new Exception('Bad host categories query params');
}

while ($row = $resRetrieval->fetchRow()) {
# hide unauthorized host categories
$hide = false;
Expand Down
Loading