Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

fix(admin): add SQL and XSS protection of Administration Logs page #7038

Merged
merged 3 commits into from
Dec 28, 2018
Merged

fix(admin): add SQL and XSS protection of Administration Logs page #7038

merged 3 commits into from
Dec 28, 2018

Conversation

vhr
Copy link
Contributor

@vhr vhr commented Dec 11, 2018

Resolve MON-3227

kduret
kduret suggested changes Dec 11, 2018
View reviewed changes
www/include/Administration/configChangelog/viewLogs.php Outdated
@@ -85,7 +85,9 @@ function searchUserName($user_name)
$contactList = array();
$DBRES = $pearDB->query("SELECT contact_id, contact_name, contact_alias FROM contact");
while ($row = $DBRES->fetchRow()) {
$contactList[$row["contact_id"]] = $row["contact_name"] . " (".$row["contact_alias"].")";
$contactList[$row["contact_id"]] = CentreonUtils::escapeSecure(
$row["contact_name"] . " (".$row["contact_alias"].")"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add space around dot

www/include/Administration/configChangelog/viewLogs.php Outdated
@@ -188,10 +190,13 @@ function searchUserName($user_name)
} else {
$query .= " AND ";
}
$query .= " object_type = '".$objects_type_tab[$otype]."' ";
$query .= " object_type = '".$pearDB->escape($objects_type_tab[$otype])."' ";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add space around dot

www/include/Administration/configChangelog/viewLogs.php Outdated
$query .= " ORDER BY action_log_date DESC LIMIT ".$num * $limit.", ".$limit;

$query .= " ORDER BY action_log_date DESC LIMIT "
. (int)($num * $limit) . ", ". (int) $limit;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add space around dot

@vhr
code style
bf77338 
Resolve MON-3227
callapa
callapa suggested changes Dec 11, 2018
View reviewed changes
www/include/Administration/configChangelog/viewLogs.php Outdated
@@ -52,7 +52,7 @@ function searchUserName($user_name)
if ($str != "") {
$str .= ", ";
}
$str .= "'" . $row['contact_id'] . "'";
$str .= "'" . $pearDB->escape($row['contact_id']) . "'";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you want to escape an integer value ?
In the centreon database, the structure of 'contact' indicates that contact_id is an integer.
When you are supposed to work with an integer value, please use the following syntax (int) $row['contact_id'].

@vhr
replace escape with int
f1b7806 
Resolve MON-3227
@kduret kduret merged commit c67c1a2 into 2.8.x Dec 28, 2018
@kduret kduret deleted the MON-3227-admin-logs-XSS branch December 28, 2018 10:26
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kduret kduret kduret approved these changes

@callapa callapa callapa approved these changes

@miteto miteto miteto approved these changes

@leoncx leoncx Awaiting requested review from leoncx

@sc979 sc979 Awaiting requested review from sc979

@victorvassilev victorvassilev Awaiting requested review from victorvassilev

Assignees
No one assigned
Labels
area/administration kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vhr @miteto @callapa @kduret @sc979 @lpinsivy