mirrors
/
Monitorix
mirror of https://github.com/mikaku/Monitorix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added sanitization of CGI variables #203

This commit is contained in:
Jordi Sanfeliu 2018-03-02 13:00:56 +01:00
parent 677ddbcfbc
commit ce702bce45
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
monitorix.cgi
View File

@ -285,6 +285,23 @@ if($mode ne "localhost") {
($mode, $val) = split(/\./, $mode); ($mode, $val) = split(/\./, $mode);
} }
# this should disarm all XSS and Cookie Injection attempts
my $OK_CHARS='-a-zA-Z0-9_'; # a restrictive list of valid chars
$graph =~ s/[^$OK_CHARS]/_/go; # only $OK_CHARS are allowed
$mode =~ s/[^$OK_CHARS]/_/go; # only $OK_CHARS are allowed
$when =~ s/[^$OK_CHARS]/_/go; # only $OK_CHARS are allowed
$color =~ s/[^$OK_CHARS]/_/go; # only $OK_CHARS are allowed
$val =~ s/[^$OK_CHARS]/_/go; # only $OK_CHARS are allowed
$silent =~ s/[^$OK_CHARS]/_/go; # only $OK_CHARS are allowed
#$graph =~ s/\&/&/g;
#$graph =~ s/\</&lt;/g;
#$graph =~ s/\>/&gt;/g;
#$graph =~ s/\"/&quot;/g;
#$graph =~ s/\'/&#x27;/g;
#$graph =~ s/\(/&#x28;/g;
#$graph =~ s/\)/&#x29;/g;
#$graph =~ s/\//&#x2F;/g;
if(lc($config{httpd_builtin}->{enabled}) ne "y") { if(lc($config{httpd_builtin}->{enabled}) ne "y") {
print("Content-Type: text/html\n"); print("Content-Type: text/html\n");