~ubuntu-branches/debian/squeeze/cacti/squeeze

Description: The fix for CVE-2013-1435 (command line injection) introduced

 a regression in the case that a COMMENT is inserted without trailing space.

Author: Gandalf <gandalf@cacti.net>

Origin: http://sourceforge.net/mailarchive/message.php?msg_id=31262712

 

--- a/lib/rrd.php

+++ b/lib/rrd.php

@@ -1296,20 +1296,20 @@

                $need_rrd_nl = TRUE;

 

                if ($graph_item_types{$graph_item["graph_type_id"]} == "COMMENT") {

+                       # perform variable substitution first (in case this will yield an empty results or brings command injection problems)

+                       $comment_arg = rrd_substitute_host_query_data($graph_variables["text_format"][$graph_item_id], $graph, $graph_item);

+                       # next, compute the argument of the COMMENT statement and perform injection counter measures

+                       if (trim($comment_arg) == '') { # an empty COMMENT must be treated with care

+                               $comment_arg = cacti_escapeshellarg(' ' . $hardreturn[$graph_item_id]);

+                       } else {

+                               $comment_arg = cacti_escapeshellarg($comment_arg . $hardreturn[$graph_item_id]);

+                       }

+

+                       # create rrdtool specific command line

                        if (read_config_option("rrdtool_version") != "rrd-1.0.x") {

-                               $comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id])) . " ";

-                               if (trim($comment_string) == 'COMMENT:"\n"') {

-                                       $txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work

-                               } else if (trim($comment_string) != "COMMENT:\"\"") {

-                                       $txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);

-                               }

+                               $txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", $comment_arg) . " ";

                        }else {

-                               $comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id]) . " ";

-                               if (trim($comment_string) == 'COMMENT:"\n"') {

-                                       $txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work

-                               } else if (trim($comment_string) != "COMMENT:\"\"") {

-                                       $txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);

-                               }

+                               $txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . $comment_arg . " ";

                        }

                }elseif (($graph_item_types{$graph_item["graph_type_id"]} == "GPRINT") && (!isset($graph_data_array["graph_nolegend"]))) {

                        $graph_variables["text_format"][$graph_item_id] = str_replace(":", "\:", $graph_variables["text_format"][$graph_item_id]); /* escape colons */