Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

fix(xss): fix SQL injection for GET parameter #7229

Merged
merged 1 commit into from
Feb 28, 2019
Merged

fix(xss): fix SQL injection for GET parameter #7229

merged 1 commit into from
Feb 28, 2019

Conversation

miteto
Copy link
Contributor

@miteto miteto commented Feb 26, 2019
edited
Loading

Fix SQL injection

Fix possible injection in $_GET['host_id']

  • Fix $_GET['host_id'] => parse it as integer
  • remove unnecessary ';' in code

Fixes #MON-3309

Type of change : fix

  • Patch fixing an issue (non-breaking change)

Target serie

  • 18.10.x

@miteto miteto requested review from vhr and victorvassilev February 26, 2019 13:09
@sc979 sc979 force-pushed the MON-3309-fix-sql-injection branch from 2db2327 to 0d6ab35 Compare February 28, 2019 10:53
@sc979
Copy link
Contributor

sc979 commented Feb 28, 2019

As this file is unused since a previous major release. It needs to be deleted.

@sc979 sc979 force-pushed the MON-3309-fix-sql-injection branch from 0d6ab35 to 4fb2a05 Compare February 28, 2019 10:57
@sc979 sc979 mentioned this pull request Feb 28, 2019
Closed
@sc979
Copy link
Contributor

sc979 commented Feb 28, 2019

The original PR from @gquere is here : https://github.com/centreon/centreon/pull/7087

@miteto miteto merged commit 3b2b1d1 into 18.10.x Feb 28, 2019
@miteto miteto deleted the MON-3309-fix-sql-injection branch February 28, 2019 12:52
sc979 pushed a commit that referenced this pull request Mar 5, 2019
@miteto @sc979
fix(deadCode): removing file unused since a previous major release (#…
b994eae 
…7229)
sc979 pushed a commit that referenced this pull request Mar 12, 2019
@miteto @sc979
fix(deadCode): removing file unused since a previous major release (#…
03834d1 
…7229)
sc979 added a commit that referenced this pull request Mar 12, 2019
@sc979
fix(deadCode): removing file unused since a previous major release (#…
019249f 
…7229)

* fix(deadCode): removing file unused since a previous major release (#7229)
vhr pushed a commit that referenced this pull request Mar 13, 2019
@miteto @vhr
fix(deadCode): removing file unused since a previous major release (#…
59f5fc5 
…7229)
victorvassilev added a commit that referenced this pull request Mar 22, 2019
@victorvassilev
fix(security): fix vulnerability for file loading (#7227)
1de4a4a 
* fix(security): fix vulnearability for file loading
Disallow inclusion of files from incorrect folders in broker performance.
Resolves: MON-3312

* style: psr2

* feat(clapi) add acknowledgement in clapi

* add acknowledgement by clapi
* add doc
* add acceptance

* fix(deadCode): removing file unused since a previous major release (#7229)

* enh(doc): improved English documentation, thanks to jefestyler (#7238)

* fix(doc): add entry in toc and correct table format

* Doc improve install chapters (#7239)

* fix(doc): readd quickstart shortlink
* enh(doc): add configuration of proxy in post installation

* fix(front): manage properly session expiration + avoid login inception (#7202)

* fix(sec): allow to set illegal characters for centcore (#7206)

* fix(sec): allow to set illegal characters for centcore

* add french translation for centcore illegal characters

* update properly centcore parameter in database

* move upgrade script

* fix(secu): rce vulnerability when using command's testing feature (#7232)

* fix(secu): Authenticated RCE in minPlayCommand.php
Concatenation of unsanitized command_hostaddress GET parameter to shell_exec leads to remote code execution.

* fix: rce vulnerability when using testing feature
* release note for 19.04.0
* style(PSR2)

* enh(CI): fixing UTF warnings

* feat(API) API to Get/Set/Export/Import Command Arg Descriptions

* feat(API) Add showinstance CLAPI command to Host  (#7199)

* enh(doc): Improved disk space calculation table

* enh(doc): add workbook to calculate the size of the platform

* doc(release notes): Add missing release notes from 2.8.x

* enh(doc): improve poller configuration

Conflicts:
	doc/en/administration_guide/poller/wizard_add_poller.rst

* enh(doc): Add custom code description for SNMP trap

* fix(doc): Remove 2.5 description in trap documentation

* enh(doc): add order of achievement of actions by the centreontrapd process

* fix(doc): correct location of database conf for trap on poller - ref #7011

* fix(doc): correct typo

* fix(doc): remove unsued image

* fix(doc): enable services after remote server installation (#7027)

* fix(doc): enable services after remote server installation
* fix(doc): add enable_services.rst

* enh(doc): Update upgradetoCentreon18.10.rst (#6934)

Update FR & EN chapter to manage MySQL migration from Centreon 3.4.x to Centreon 18.10.x

* fix(doc): describe directory of XML files for partitioning

* enh(ui) : indent third level menu (#7251)

* enh(DT): fix search filter for recurrent downtimes (#7201)

* Mon 3112 fix source install (#7160)

* fix(install): fix installation from sources on 18.10.x

* fix(security): fix vulnearability for file loading
Disallow inclusion of files from incorrect folders in broker performance.
Resolves: MON-3312

* style: psr2
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jdelpierre jdelpierre jdelpierre approved these changes

@vhr vhr vhr approved these changes

@victorvassilev victorvassilev Awaiting requested review from victorvassilev

Assignees
No one assigned
Labels
area/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@miteto @sc979 @vhr @jdelpierre