Zabbix 1.6.2 has multiple vulnerabilities: code execution, local file inclusion and cross-site request forgery. See [1] and [2] for details. Fix: Two patches that are fixing all mentioned vulnerabilities are below. Patch for vulnerability 'B' from USH-162 advisory, http://www.ush.it/team/ush/hack-zabbix_162/adv.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Obtained from svn://svn.zabbix.com/branches/1.6/frontends/php/ This hunk adds functionality to check the 'sessionid' variable using cookie named 'zbx_sessionid' and thus preventing easy CSRFs. Whitespace-only changes were mostly removed. Index: frontends/php/include/perm.inc.php =================================================================== --- frontends/php/include/perm.inc.php (revision 6620) +++ frontends/php/include/perm.inc.php (revision 6621) @@ -44,7 +44,7 @@ $USER_DETAILS = NULL; $login = FALSE; - $sessionid = get_cookie('zbx_sessionid'); + $sessionid = get_request('sessionid',get_cookie('zbx_sessionid')); if(!is_null($sessionid)){ $sql = 'SELECT u.*,s.* '. Index: frontends/php/include/validate.inc.php =================================================================== --- frontends/php/include/validate.inc.php (revision 6620) +++ frontends/php/include/validate.inc.php (revision 6621) @@ -428,8 +429,12 @@ } } else if($opt == O_OPT){ - if(!isset($_REQUEST[$field])) + if(!isset($_REQUEST[$field])){ return ZBX_VALID_OK; + } + else if(($flags&P_ACT) && !isset($_REQUEST['zbx_form'])){ + return ZBX_VALID_ERROR; + } } check_trim($_REQUEST[$field]); @@ -458,17 +463,21 @@ return ZBX_VALID_OK; } -// VAR TYPE OPTIONAL FLAGS VALIDATION EXCEPTION +// VAR TYPE OPTIONAL FLAGS VALIDATION EXCEPTION $system_fields=array( - "sessionid"=> array(T_ZBX_STR, O_OPT, P_SYS, HEX(),NULL), - "switch_node"=> array(T_ZBX_INT, O_OPT, P_SYS, DB_ID,NULL), - "triggers_hash"=> array(T_ZBX_STR, O_OPT, P_SYS, NOT_EMPTY,NULL), - 'print'=> array(T_ZBX_INT, O_OPT, P_SYS, IN("1"),NULL), + 'sessionid'=> array(T_ZBX_STR, O_OPT, P_SYS, HEX(), 'isset({zbx_form})'), + 'zbx_form'=> array(T_ZBX_STR, O_OPT, P_SYS, NOT_EMPTY, NULL), +// + 'switch_node'=> array(T_ZBX_INT, O_OPT, P_SYS, DB_ID,NULL), + 'triggers_hash'=> array(T_ZBX_STR, O_OPT, P_SYS, NOT_EMPTY,NULL), + 'print'=> array(T_ZBX_INT, O_OPT, P_SYS, IN('1'),NULL), + +// table sorting 'sort'=> array(T_ZBX_STR, O_OPT, P_SYS, NULL,NULL), 'sortorder'=> array(T_ZBX_STR, O_OPT, P_SYS, NULL,NULL) ); - function invalid_url(){ + function invalid_url(){ include_once "include/page_header.php"; unset_all(); show_error_message(S_INVALID_URL); Index: frontends/php/include/classes/cform.inc.php =================================================================== --- frontends/php/include/classes/cform.inc.php (revision 6620) +++ frontends/php/include/classes/cform.inc.php (revision 6621) @@ -22,46 +22,44 @@ class CForm extends CTag{ /* public */ function CForm($action=NULL, $method='post', $enctype=NULL){ - parent::CTag("form","yes"); - $this->SetMethod($method); - $this->SetAction($action); - $this->SetEnctype($enctype); + parent::CTag('form','yes'); + $this->setMethod($method); + $this->setAction($action); + $this->setEnctype($enctype); + + $this->addVar('zbx_form', 'action'); + $this->addVar('sessionid', $_COOKIE['zbx_sessionid']); } - function SetMethod($value='post'){ + function setMethod($value='post'){ return $this->options['method'] = $value; } - function SetAction($value){ + function setAction($value){ global $page; if(is_null($value)){ - if(isset($page['file'])){ - $value = $page['file']; - } - else{ - $value = "#"; - } + $value = isset($page['file'])?$page['file']:'#'; } return $this->options['action'] = $value; } - function SetEnctype($value=NULL){ + function setEnctype($value=NULL){ if(is_null($value)){ - return $this->DelOption("enctype"); + return $this->DelOption('enctype'); } else if(!is_string($value)){ return $this->error("Incorrect value for SetEnctype [$value]"); } - return $this->AddOption("enctype",$value); + return $this->addOption('enctype',$value); } - function AddVar($name, $value){ + function addVar($name, $value){ if(empty($value) && $value != 0) return $value; - return $this->AddItem(new CVar($name, $value)); + return $this->addItem(new CVar($name, $value)); } } ?> Index: frontends/php/include/classes/cformtable.inc.php =================================================================== --- frontends/php/include/classes/cformtable.inc.php (revision 6620) +++ frontends/php/include/classes/cformtable.inc.php (revision 6621) @@ -46,48 +46,48 @@ } parent::CForm($action,$method,$enctype); - $this->SetTitle($title); - $this->SetAlign('center'); - $this->SetHelp(); + $this->setTitle($title); + $this->setAlign('center'); + $this->setHelp(); // $frm_link = new CLink(); -// $frm_link->SetName("formtable"); -// $this->AddItemToTopRow($frm_link); +// $frm_link->setName("formtable"); +// $this->addItemToTopRow($frm_link); - $this->AddVar($form_variable, get_request($form_variable, 1)); - $this->AddVar('form_refresh',get_request('form_refresh',0)+1); + $this->addVar($form_variable, get_request($form_variable, 1)); + $this->addVar('form_refresh',get_request('form_refresh',0)+1); $this->bottom_items = new CCol(SPACE,'form_row_last'); - $this->bottom_items->SetColSpan(2); + $this->bottom_items->setColSpan(2); } - function SetAction($value){ + function setAction($value){ if(is_string($value)) - return parent::SetAction($value); + return parent::setAction($value); elseif(is_null($value)) - return parent::SetAction($value); + return parent::setAction($value); else return $this->error("Incorrect value for SetAction [$value]"); } - function SetName($value){ + function setName($value){ if(!is_string($value)){ return $this->error("Incorrect value for SetAlign [$value]"); } - $this->AddOption('name',$value); - $this->AddOption('id',$value); + $this->addOption('name',$value); + $this->addOption('id',$value); return true; } - function SetAlign($value){ + function setAlign($value){ if(!is_string($value)){ return $this->error("Incorrect value for SetAlign [$value]"); } return $this->align = $value; } - function SetTitle($value=NULL){ + function setTitle($value=NULL){ if(is_null($value)){ unset($this->title); return 0; @@ -101,7 +101,7 @@ $this->title = unpack_object($value); } - function SetHelp($value=NULL){ + function setHelp($value=NULL){ if(is_null($value)) { $this->help = new CHelp(); } @@ -110,8 +110,8 @@ } else if(is_string($value)) { $this->help = new CHelp($value); - if($this->GetName()==NULL) - $this->SetName($value); + if($this->getName()==NULL) + $this->setName($value); } else { return $this->error("Incorrect value for SetHelp [$value]"); @@ -119,21 +119,21 @@ return 0; } - function AddVar($name, $value){ - $this->AddItemToTopRow(new CVar($name, $value)); + function addVar($name, $value){ + $this->addItemToTopRow(new CVar($name, $value)); } - function AddItemToTopRow($value){ + function addItemToTopRow($value){ array_push($this->top_items, $value); } - function AddRow($item1, $item2=NULL, $class=NULL){ + function addRow($item1, $item2=NULL, $class=NULL){ if(strtolower(get_class($item1)) == 'crow'){ } else if(strtolower(get_class($item1)) == 'ctable'){ $td = new CCol($item1,'form_row_c'); - $td->SetColSpan(2); + $td->setColSpan(2); $item1 = new CRow($td); } @@ -157,7 +157,7 @@ array_push($this->center_items, $item1); } - function AddSpanRow($value, $class=NULL){ + function addSpanRow($value, $class=NULL){ if(is_string($value)) $item1=nbsp($value); @@ -165,16 +165,16 @@ if(is_null($class)) $class = 'form_row_c'; $col = new CCol($value,$class); - $col->SetColSpan(2); + $col->setColSpan(2); array_push($this->center_items,new CRow($col)); } - function AddItemToBottomRow($value){ - $this->bottom_items->AddItem($value); + function addItemToBottomRow($value){ + $this->bottom_items->addItem($value); } - function SetTableClass($class){ + function setTableClass($class){ if(is_string($class)){ $this->tableclass = $class; } @@ -186,25 +186,25 @@ $tbl = new CTable(NULL,$this->tableclass); - $tbl->SetOddRowClass('form_odd_row'); - $tbl->SetEvenRowClass('form_even_row'); - $tbl->SetCellSpacing(0); - $tbl->SetCellPadding(1); - $tbl->SetAlign($this->align); + $tbl->setOddRowClass('form_odd_row'); + $tbl->setEvenRowClass('form_even_row'); + $tbl->setCellSpacing(0); + $tbl->setCellPadding(1); + $tbl->setAlign($this->align); # add first row $col = new CCol(NULL,'form_row_first'); - $col->SetColSpan(2); + $col->setColSpan(2); - if(isset($this->help)) $col->AddItem($this->help); - if(isset($this->title)) $col->AddItem($this->title); - foreach($this->top_items as $item) $col->AddItem($item); + if(isset($this->help)) $col->addItem($this->help); + if(isset($this->title)) $col->addItem($this->title); + foreach($this->top_items as $item) $col->addItem($item); - $tbl->SetHeader($col); + $tbl->setHeader($col); # add last row - $tbl->SetFooter($this->bottom_items); + $tbl->setFooter($this->bottom_items); # add center rows foreach($this->center_items as $item){ - $tbl->AddRow($item); + $tbl->addRow($item); } return $tbl->ToString(); } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Obtained from svn://svn.zabbix.com/branches/1.6/frontends/php/ This hunk adds session identifier transmission during Ajax requests. It also reshuffles some JavaScript functions and adds many whitespace changes. Index: frontends/php/js/cookies.js =================================================================== --- frontends/php/js/cookies.js (revision 6622) +++ frontends/php/js/cookies.js (revision 6623) @@ -1,78 +0,0 @@ -//Javascript document -/* -** ZABBIX -** Copyright (C) 2000-2005 SIA Zabbix -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License as published by -** the Free Software Foundation; either version 2 of the License, or -** (at your option) any later version. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -**/ -// Title: cookies class -// Description: to manipulate cookies on client side -// Author: Aly - -var cookie ={ -cookies: new Array(), - -init: function () { - var allCookies = document.cookie.split('; '); - for (var i=0;i<allCookies.length;i++) { - var cookiePair = allCookies[i].split('='); - this.cookies[cookiePair[0]] = cookiePair[1]; - } -}, - -create: function (name,value,days) { - if(days) { - var date = new Date(); - date.setTime(date.getTime()+(days*24*60*60*1000)); - var expires = "; expires="+date.toGMTString(); - }else{ - var expires = ""; - } - - document.cookie = name+"="+value+expires+"; path=/"; - this.cookies[name] = value; -}, - -read : function(name){ - if(typeof(this.cookies[name]) != 'undefined'){ - return this.cookies[name]; - } else { - var nameEQ = name + "="; - var ca = document.cookie.split(';'); - for(var i=0;i < ca.length;i++) { - var c = ca[i]; - while (c.charAt(0)==' ') c = c.substring(1,c.length); - if(c.indexOf(nameEQ) == 0) return this.cookies[name] = c.substring(nameEQ.length,c.length); - } - } - return null; -}, - -printall: function() { - var allCookies = document.cookie.split('; '); - for (var i=0;i<allCookies.length;i++) { - var cookiePair = allCookies[i].split('='); - - alert("[" + cookiePair[0] + "] is " + cookiePair[1]); // assumes print is already defined - } -}, - -erase: function (name) { - this.create(name,'',-1); - this.cookies[name] = undefined; -} -} - -cookie.init(); \ No newline at end of file Index: frontends/php/js/url.js =================================================================== --- frontends/php/js/url.js (revision 6622) +++ frontends/php/js/url.js (revision 6623) @@ -1,256 +0,0 @@ -// JavaScript Document -/* -** ZABBIX -** Copyright (C) 2000-2007 SIA Zabbix -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License as published by -** the Free Software Foundation; either version 2 of the License, or -** (at your option) any later version. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -** -*/ - -// Title: url manipulation class -// Author: Aly - - -var url = Class.create(); - -url.prototype = { -url: '', // actually, it's depricated/private variable -port: -1, -host: '', -protocol: '', -username: '', -password: '', -filr: '', -reference: '', -path: '', -query: '', -arguments: new Array(), - -initialize: function(url){ - this.url=unescape(url); - - this.query=(this.url.indexOf('?')>=0)?this.url.substring(this.url.indexOf('?')+1):''; - if(this.query.indexOf('#')>=0) this.query=this.query.substring(0,this.query.indexOf('#')); - - var protocolSepIndex=this.url.indexOf('://'); - if(protocolSepIndex>=0){ - this.protocol=this.url.substring(0,protocolSepIndex).toLowerCase(); - this.host=this.url.substring(protocolSepIndex+3); - if(this.host.indexOf('/')>=0) this.host=this.host.substring(0,this.host.indexOf('/')); - var atIndex=this.host.indexOf('@'); - if(atIndex>=0){ - var credentials=this.host.substring(0,atIndex); - var colonIndex=credentials.indexOf(':'); - if(colonIndex>=0){ - this.username=credentials.substring(0,colonIndex); - this.password=credentials.substring(colonIndex); - }else{ - this.username=credentials; - } - this.host=this.host.substring(atIndex+1); - } - - var host_ipv6 = this.host.indexOf(']'); - if(host_ipv6>=0){ - if(host_ipv6 < (this.host.length-1)){ - host_ipv6++; - var host_less = this.host.substring(host_ipv6); - - var portColonIndex=host_less.indexOf(':'); - if(portColonIndex>=0){ - this.port=host_less.substring(portColonIndex+1); - this.host=this.host.substring(0,host_ipv6); - } - } - } - else{ - var portColonIndex=this.host.indexOf(':'); - if(portColonIndex>=0){ - this.port=this.host.substring(portColonIndex+1); - this.host=this.host.substring(0,portColonIndex); - } - } - this.file=this.url.substring(protocolSepIndex+3); - this.file=this.file.substring(this.file.indexOf('/')); - }else{ - this.file=this.url; - } - if(this.file.indexOf('?')>=0) this.file=this.file.substring(0, this.file.indexOf('?')); - - var refSepIndex=url.indexOf('#'); - if(refSepIndex>=0){ - this.file=this.file.substring(0,refSepIndex); - this.reference=this.url.substring(this.url.indexOf('#')); - } - this.path=this.file; - if(this.query.length>0) this.file+='?'+this.query; - if(this.reference.length>0) this.file+='#'+this.reference; - if(this.query.length > 0) this.getArguments(); -}, - -getArguments: function(){ - var args=this.query.split('&'); - var keyval=''; - - if(args.length<1) return; - - for(i=0;i<args.length;i++){ - keyval=args[i].split('='); - this.arguments[i] = new Array(keyval[0],(keyval.length==1)?keyval[0]:keyval[1]); - } -}, - -getArgumentValue: function(key){ - if(key.length<1) return ''; - for(i=0; i < this.arguments.length; i++){ - if(this.arguments[i][0] == key) return this.arguments[i][1]; - } - -return ''; -}, - -getArgumentValues: function(){ - var a=new Array(); - var b=this.query.split('&'); - var c=''; - if(b.length<1) return a; - for(i=0;i<b.length;i++){ - c=b[i].split('='); - a[i]=new Array(c[0],((c.length==1)?c[0]:c[1])); - } -return a; -}, - -getUrl: function(){ - var uri = (this.protocol.length > 0)?(this.protocol+'://'):''; - uri += encodeURI((this.username.length > 0)?(this.username):''); - uri += encodeURI((this.password.length > 0)?(':'+this.password):''); - uri += (this.host.length > 0)?(this.host):''; - uri += (this.port.length > 0)?(':'+this.port):''; - uri += encodeURI((this.path.length > 0)?(this.path):''); - uri += encodeURI((this.query.length > 0)?('?'+this.query):''); - uri += encodeURI((this.reference.length > 0)?('#'+this.reference):''); -// alert(uri.getProtocol()+' : '+uri.getHost()+' : '+uri.getPort()+' : '+uri.getPath()+' : '+uri.getQuery()); -return uri; -}, - -setArgument: function(key,value){ - - var valueisset = false; - if(typeof(key) == 'undefined') throw 'Invalid argument past for setArgument'; - - value =('undefined' != typeof(value))?value:''; - - for(i=0; i < this.arguments.length; i++){ - if(this.arguments[i][0] == key){ - valueisset = true; - this.arguments[i][1] = value; - } - } - if(!valueisset) this.arguments[this.arguments.length] = new Array(key,value); - this.formatQuery(); -}, - -formatQuery: function(){ - if(this.arguments.lenght < 1) return; - - var query = ''; - for(i=0; i < this.arguments.length; i++){ - query+=this.arguments[i][0]+'='+this.arguments[i][1]+'&'; - } - this.query = query.substring(0,query.length-1); -}, - -getPort: function(){ - return this.port; -}, - -setPort: function(port){ - this.port = port; -}, - -getQuery: function(){ - return this.query; -}, - -setQuery: function(query){ - this.query = query; - this.getArgumentValues(); - this.formatQuery(); -}, - -/* Returns the protocol of this URL, i.e. 'http' in the url 'http://server/' */ -getProtocol: function(){ - return this.protocol; -}, - -setProtocol: function(protocol){ - this.protocol = protocol; -}, -/* Returns the host name of this URL, i.e. 'server.com' in the url 'http://server.com/' */ -getHost: function(){ - return this.host; -}, - -setHost: function(set){ - this.host = host; -}, - -/* Returns the user name part of this URL, i.e. 'joe' in the url 'http://joe@server.com/' */ -getUserName: function(){ - return this.username; -}, - -setUserName: function(username){ - this.username = username; -}, - -/* Returns the password part of this url, i.e. 'secret' in the url 'http://joe:secret@server.com/' */ -getPassword: function(){ - return this.password; -}, - -setPassword: function(password){ - this.password = password; -}, - -/* Returns the file part of this url, i.e. everything after the host name. */ -getFile: function(){ - return this.file = file; -}, - -setFile: function(file){ - this.file = file; -}, - -/* Returns the reference of this url, i.e. 'bookmark' in the url 'http://server/file.html#bookmark' */ -getReference: function(){ - return this.reference; -}, - -setReference: function(reference){ - this.reference = reference; -}, - -/* Returns the file path of this url, i.e. '/dir/file.html' in the url 'http://server/dir/file.html' */ -getPath: function(){ - return this.path; -}, - -setPath: function(path){ - this.path = path; -} - -} \ No newline at end of file Index: frontends/php/js/updater.js =================================================================== --- frontends/php/js/updater.js (revision 6622) +++ frontends/php/js/updater.js (revision 6623) @@ -27,7 +27,7 @@ setObj4Update: function(id,frequency,url,params){ var obj = document.getElementById(id); - if((typeof(obj) == 'undefined')) return false; + if(typeof(obj) == 'undefined') return false; var obj4update = { 'id': id, @@ -65,7 +65,9 @@ obj4update.ready = false; var uri = new url(obj4update.url); - new Ajax.Updater(obj4update.id, obj4update.url, + uri.setArgument('sessionid', cookie.read('zbx_sessionid')); + + new Ajax.Updater(obj4update.id, uri.getUrl(),//obj4update.url, { method: 'post', 'parameters': obj4update.params, Index: frontends/php/js/gpc.js =================================================================== --- frontends/php/js/gpc.js (revision 0) +++ frontends/php/js/gpc.js (revision 6623) @@ -0,0 +1,315 @@ +//Javascript document +/* +** ZABBIX +** Copyright (C) 2000-2009 SIA Zabbix +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +**/ + +// Title: cookies class +// Description: to manipulate cookies on client side +// Author: Aly +var cookie ={ +cookies: new Array(), + +init: function () { + var allCookies = document.cookie.split('; '); + for (var i=0;i<allCookies.length;i++) { + var cookiePair = allCookies[i].split('='); + this.cookies[cookiePair[0]] = cookiePair[1]; + } +}, + +create: function (name,value,days) { + if(days) { + var date = new Date(); + date.setTime(date.getTime()+(days*24*60*60*1000)); + var expires = "; expires="+date.toGMTString(); + } + else{ + var expires = ""; + } + + document.cookie = name+"="+value+expires+"; path=/"; + this.cookies[name] = value; +}, + +read : function(name){ + if(typeof(this.cookies[name]) != 'undefined'){ + return this.cookies[name]; + } + else { + var nameEQ = name + "="; + var ca = document.cookie.split(';'); + for(var i=0;i < ca.length;i++) { + var c = ca[i]; + while (c.charAt(0)==' ') c = c.substring(1,c.length); + if(c.indexOf(nameEQ) == 0) return this.cookies[name] = c.substring(nameEQ.length,c.length); + } + } + return null; +}, + +printall: function() { + var allCookies = document.cookie.split('; '); + for(var i=0;i<allCookies.length;i++){ + var cookiePair = allCookies[i].split('='); + + alert("[" + cookiePair[0] + "] is " + cookiePair[1]); // assumes print is already defined + } +}, + +erase: function (name) { + this.create(name,'',-1); + this.cookies[name] = undefined; +} +} + +cookie.init(); + + + +// Title: url manipulation class +// Author: Aly +var url = Class.create(); + +url.prototype = { +url: '', // actually, it's depricated/private variable +port: -1, +host: '', +protocol: '', +username: '', +password: '', +filr: '', +reference: '', +path: '', +query: '', +arguments: new Array(), + +initialize: function(url){ + this.url=unescape(url); + + this.query=(this.url.indexOf('?')>=0)?this.url.substring(this.url.indexOf('?')+1):''; + if(this.query.indexOf('#')>=0) this.query=this.query.substring(0,this.query.indexOf('#')); + + var protocolSepIndex=this.url.indexOf('://'); + if(protocolSepIndex>=0){ + this.protocol=this.url.substring(0,protocolSepIndex).toLowerCase(); + this.host=this.url.substring(protocolSepIndex+3); + if(this.host.indexOf('/')>=0) this.host=this.host.substring(0,this.host.indexOf('/')); + var atIndex=this.host.indexOf('@'); + if(atIndex>=0){ + var credentials=this.host.substring(0,atIndex); + var colonIndex=credentials.indexOf(':'); + if(colonIndex>=0){ + this.username=credentials.substring(0,colonIndex); + this.password=credentials.substring(colonIndex); + }else{ + this.username=credentials; + } + this.host=this.host.substring(atIndex+1); + } + + var host_ipv6 = this.host.indexOf(']'); + if(host_ipv6>=0){ + if(host_ipv6 < (this.host.length-1)){ + host_ipv6++; + var host_less = this.host.substring(host_ipv6); + + var portColonIndex=host_less.indexOf(':'); + if(portColonIndex>=0){ + this.port=host_less.substring(portColonIndex+1); + this.host=this.host.substring(0,host_ipv6); + } + } + } + else{ + var portColonIndex=this.host.indexOf(':'); + if(portColonIndex>=0){ + this.port=this.host.substring(portColonIndex+1); + this.host=this.host.substring(0,portColonIndex); + } + } + this.file=this.url.substring(protocolSepIndex+3); + this.file=this.file.substring(this.file.indexOf('/')); + }else{ + this.file=this.url; + } + if(this.file.indexOf('?')>=0) this.file=this.file.substring(0, this.file.indexOf('?')); + + var refSepIndex=url.indexOf('#'); + if(refSepIndex>=0){ + this.file=this.file.substring(0,refSepIndex); + this.reference=this.url.substring(this.url.indexOf('#')); + } + this.path=this.file; + if(this.query.length>0) this.file+='?'+this.query; + if(this.reference.length>0) this.file+='#'+this.reference; + if(this.query.length > 0) this.getArguments(); +}, + +getArguments: function(){ + var args=this.query.split('&'); + var keyval=''; + + if(args.length<1) return; + + for(i=0;i<args.length;i++){ + keyval=args[i].split('='); + this.arguments[i] = new Array(keyval[0],(keyval.length==1)?keyval[0]:keyval[1]); + } +}, + +getArgumentValue: function(key){ + if(key.length<1) return ''; + for(i=0; i < this.arguments.length; i++){ + if(this.arguments[i][0] == key) return this.arguments[i][1]; + } + +return ''; +}, + +getArgumentValues: function(){ + var a=new Array(); + var b=this.query.split('&'); + var c=''; + if(b.length<1) return a; + for(i=0;i<b.length;i++){ + c=b[i].split('='); + a[i]=new Array(c[0],((c.length==1)?c[0]:c[1])); + } +return a; +}, + +getUrl: function(){ + var uri = (this.protocol.length > 0)?(this.protocol+'://'):''; + uri += encodeURI((this.username.length > 0)?(this.username):''); + uri += encodeURI((this.password.length > 0)?(':'+this.password):''); + uri += (this.host.length > 0)?(this.host):''; + uri += (this.port.length > 0)?(':'+this.port):''; + uri += encodeURI((this.path.length > 0)?(this.path):''); + uri += encodeURI((this.query.length > 0)?('?'+this.query):''); + uri += encodeURI((this.reference.length > 0)?('#'+this.reference):''); +// alert(uri.getProtocol()+' : '+uri.getHost()+' : '+uri.getPort()+' : '+uri.getPath()+' : '+uri.getQuery()); +return uri; +}, + +setArgument: function(key,value){ + + var valueisset = false; + if(typeof(key) == 'undefined') throw 'Invalid argument past for setArgument'; + + value =('undefined' != typeof(value))?value:''; + + for(i=0; i < this.arguments.length; i++){ + if(this.arguments[i][0] == key){ + valueisset = true; + this.arguments[i][1] = value; + } + } + if(!valueisset) this.arguments[this.arguments.length] = new Array(key,value); + this.formatQuery(); +}, + +formatQuery: function(){ + if(this.arguments.lenght < 1) return; + + var query = ''; + for(i=0; i < this.arguments.length; i++){ + query+=this.arguments[i][0]+'='+this.arguments[i][1]+'&'; + } + this.query = query.substring(0,query.length-1); +}, + +getPort: function(){ + return this.port; +}, + +setPort: function(port){ + this.port = port; +}, + +getQuery: function(){ + return this.query; +}, + +setQuery: function(query){ + this.query = query; + this.getArgumentValues(); + this.formatQuery(); +}, + +/* Returns the protocol of this URL, i.e. 'http' in the url 'http://server/' */ +getProtocol: function(){ + return this.protocol; +}, + +setProtocol: function(protocol){ + this.protocol = protocol; +}, +/* Returns the host name of this URL, i.e. 'server.com' in the url 'http://server.com/' */ +getHost: function(){ + return this.host; +}, + +setHost: function(set){ + this.host = host; +}, + +/* Returns the user name part of this URL, i.e. 'joe' in the url 'http://joe@server.com/' */ +getUserName: function(){ + return this.username; +}, + +setUserName: function(username){ + this.username = username; +}, + +/* Returns the password part of this url, i.e. 'secret' in the url 'http://joe:secret@server.com/' */ +getPassword: function(){ + return this.password; +}, + +setPassword: function(password){ + this.password = password; +}, + +/* Returns the file part of this url, i.e. everything after the host name. */ +getFile: function(){ + return this.file = file; +}, + +setFile: function(file){ + this.file = file; +}, + +/* Returns the reference of this url, i.e. 'bookmark' in the url 'http://server/file.html#bookmark' */ +getReference: function(){ + return this.reference; +}, + +setReference: function(reference){ + this.reference = reference; +}, + +/* Returns the file path of this url, i.e. '/dir/file.html' in the url 'http://server/dir/file.html' */ +getPath: function(){ + return this.path; +}, + +setPath: function(path){ + this.path = path; +} +} \ No newline at end of file Index: frontends/php/js/ajax_req.js =================================================================== --- frontends/php/js/ajax_req.js (revision 6622) +++ frontends/php/js/ajax_req.js (revision 6623) @@ -19,6 +19,8 @@ **/ function send_params(params){ + if(typeof(params) == 'undefined') var params = new Array(); + params['sessionid'] = cookie.read('zbx_sessionid'); var uri = new url(location.href); new Ajax.Request(uri.getPath()+"?output=ajax", Index: frontends/php/dashboard.php =================================================================== --- frontends/php/dashboard.php (revision 6622) +++ frontends/php/dashboard.php (revision 6623) @@ -42,8 +42,8 @@ 'view_style'=> array(T_ZBX_INT, O_OPT, P_SYS, IN('0,1'), NULL), 'type'=> array(T_ZBX_INT, O_OPT, P_SYS, IN('0,1'), NULL), - 'output'=> array(T_ZBX_STR, O_OPT, P_ACT, NULL, NULL), - 'jsscriptid'=> array(T_ZBX_STR, O_OPT, P_ACT, NULL, NULL), + 'output'=> array(T_ZBX_STR, O_OPT, P_SYS, NULL, NULL), + 'jsscriptid'=> array(T_ZBX_STR, O_OPT, P_SYS, NULL, NULL), 'fullscreen'=> array(T_ZBX_INT, O_OPT, P_SYS, IN('0,1'), NULL), //ajax @@ -56,7 +56,7 @@ ); check_fields($fields); - + $available_hosts = get_accessible_hosts_by_user($USER_DETAILS,PERM_READ_ONLY, PERM_RES_IDS_ARRAY); // ACTION ///////////////////////////////////////////////////////////////////////////// if(isset($_REQUEST['favobj'])){ Index: frontends/php/include/page_header.php =================================================================== --- frontends/php/include/page_header.php (revision 6622) +++ frontends/php/include/page_header.php (revision 6623) @@ -428,8 +428,8 @@ <script type="text/javascript" src="js/prototype.js"></script> <script type="text/javascript" src="js/common.js"></script> +<script type="text/javascript" src="js/gpc.js"></script> <script type="text/javascript" src="js/ajax_req.js"></script> -<script type="text/javascript" src="js/url.js"></script> <script type="text/javascript" src="js/chkbxrange.js"></script> <?php if(isset($page['scripts']) && is_array($page['scripts'])){ Index: frontends/php/include/validate.inc.php =================================================================== --- frontends/php/include/validate.inc.php (revision 6622) +++ frontends/php/include/validate.inc.php (revision 6623) @@ -432,7 +432,7 @@ if(!isset($_REQUEST[$field])){ return ZBX_VALID_OK; } - else if(($flags&P_ACT) && !isset($_REQUEST['zbx_form'])){ + else if(($flags&P_ACT) && !isset($_REQUEST['sessionid'])){ return ZBX_VALID_ERROR; } } @@ -465,8 +465,7 @@ // VAR TYPE OPTIONAL FLAGS VALIDATION EXCEPTION $system_fields=array( - 'sessionid'=> array(T_ZBX_STR, O_OPT, P_SYS, HEX(), 'isset({zbx_form})'), - 'zbx_form'=> array(T_ZBX_STR, O_OPT, P_SYS, NOT_EMPTY, NULL), + 'sessionid'=> array(T_ZBX_STR, O_OPT, P_SYS, HEX(), NULL), // 'switch_node'=> array(T_ZBX_INT, O_OPT, P_SYS, DB_ID,NULL), 'triggers_hash'=> array(T_ZBX_STR, O_OPT, P_SYS, NOT_EMPTY,NULL), Index: frontends/php/include/classes/ctree.inc.php =================================================================== --- frontends/php/include/classes/ctree.inc.php (revision 6622) +++ frontends/php/include/classes/ctree.inc.php (revision 6623) @@ -214,7 +214,6 @@ global $page; $js = ' <script src="js/tree.js" type="text/javascript"></script> - <script src="js/cookies.js" type="text/javascript"></script> <script type="text/javascript"> var treenode = new Array(0); var tree_name = "tree_'.$this->getUserAlias().'_'.$page["file"].'"; Index: frontends/php/include/classes/cform.inc.php =================================================================== --- frontends/php/include/classes/cform.inc.php (revision 6622) +++ frontends/php/include/classes/cform.inc.php (revision 6623) @@ -27,7 +27,6 @@ $this->setAction($action); $this->setEnctype($enctype); - $this->addVar('zbx_form', 'action'); $this->addVar('sessionid', $_COOKIE['zbx_sessionid']); } Index: frontends/php/index.php =================================================================== --- frontends/php/index.php (revision 6622) +++ frontends/php/index.php (revision 6623) @@ -33,8 +33,8 @@ "password"=> array(T_ZBX_STR, O_OPT, NULL, NULL, 'isset({enter})'), "sessionid"=> array(T_ZBX_STR, O_OPT, NULL, NULL, NULL), "message"=> array(T_ZBX_STR, O_OPT, NULL, NULL, NULL), - "reconnect"=> array(T_ZBX_INT, O_OPT, P_ACT, BETWEEN(0,65535),NULL), - "enter"=> array(T_ZBX_STR, O_OPT, P_SYS|P_ACT, NULL, NULL), + "reconnect"=> array(T_ZBX_INT, O_OPT, NULL, BETWEEN(0,65535),NULL), + "enter"=> array(T_ZBX_STR, O_OPT, P_SYS, NULL, NULL), "form"=> array(T_ZBX_STR, O_OPT, P_SYS, NULL, NULL), "form_refresh"=> array(T_ZBX_INT, O_OPT, NULL, NULL, NULL) ); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Obtained from svn://svn.zabbix.com/branches/1.6/frontends/php/ Checks if 'zbx_sessionid' cookie is really here before setting 'sessionid' variable. Index: frontends/php/include/classes/cform.inc.php =================================================================== --- frontends/php/include/classes/cform.inc.php (revision 6624) +++ frontends/php/include/classes/cform.inc.php (revision 6625) @@ -27,7 +27,8 @@ $this->setAction($action); $this->setEnctype($enctype); - $this->addVar('sessionid', $_COOKIE['zbx_sessionid']); + if(isset($_COOKIE['zbx_sessionid'])) + $this->addVar('sessionid', $_COOKIE['zbx_sessionid']); } function setMethod($value='post'){ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Obtained from svn://svn.zabbix.com/branches/1.6/frontends/php/ This hunk basically trades the name 'sessionid' for 'sid'. It also reshuffles many functions, adds many whitespace changes and implants URL manipulation tools for JavaScript. Index: frontends/php/users.php =================================================================== --- frontends/php/users.php (revision 6643) +++ frontends/php/users.php (revision 6644) @@ -1,7 +1,7 @@ <?php /* ** ZABBIX -** Copyright (C) 2000-2005 SIA Zabbix +** Copyright (C) 2000-2009 SIA Zabbix ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License as published by @@ -24,6 +24,7 @@ require_once('include/media.inc.php'); require_once('include/users.inc.php'); require_once('include/forms.inc.php'); + require_once('include/classes/curl.inc.php'); require_once('include/js.inc.php'); $page['title'] = 'S_USERS'; @@ -32,7 +33,6 @@ $page['scripts'] = array('menu_scripts.js'); include_once('include/page_header.php'); - ?> <?php $_REQUEST['config']=get_request('config',get_profile('web.users.config',0)); Index: frontends/php/js/menu.js =================================================================== --- frontends/php/js/menu.js (revision 6643) +++ frontends/php/js/menu.js (revision 6644) @@ -386,8 +386,13 @@ this.n_y -= this.getprop('height') * (o_parent.a_config.length - item_offset); } + if(!is_null(this.a_config[1]) && (this.a_config[1].indexOf('javascript') == -1)){ + var uri = new url(this.a_config[1]); + this.a_config[1] = uri.getUrl(); + } + // generate item's HMTL - var el = document.createElement("a"); + var el = document.createElement('a'); el.setAttribute('id', 'e' + o_root.n_id + '_' + this.n_id + 'o'); el.setAttribute('href', this.a_config[1]); Index: frontends/php/js/updater.js =================================================================== --- frontends/php/js/updater.js (revision 6643) +++ frontends/php/js/updater.js (revision 6644) @@ -65,8 +65,6 @@ obj4update.ready = false; var uri = new url(obj4update.url); - uri.setArgument('sessionid', cookie.read('zbx_sessionid')); - new Ajax.Updater(obj4update.id, uri.getUrl(),//obj4update.url, { method: 'post', Index: frontends/php/js/gpc.js =================================================================== --- frontends/php/js/gpc.js (revision 6643) +++ frontends/php/js/gpc.js (revision 6644) @@ -96,7 +96,7 @@ reference: '', path: '', query: '', -arguments: new Array(), +arguments: {}, initialize: function(url){ this.url=unescape(url); @@ -116,7 +116,8 @@ if(colonIndex>=0){ this.username=credentials.substring(0,colonIndex); this.password=credentials.substring(colonIndex); - }else{ + } + else{ this.username=credentials; } this.host=this.host.substring(atIndex+1); @@ -144,9 +145,11 @@ } this.file=this.url.substring(protocolSepIndex+3); this.file=this.file.substring(this.file.indexOf('/')); - }else{ + } + else{ this.file=this.url; } + if(this.file.indexOf('?')>=0) this.file=this.file.substring(0, this.file.indexOf('?')); var refSepIndex=url.indexOf('#'); @@ -157,42 +160,51 @@ this.path=this.file; if(this.query.length>0) this.file+='?'+this.query; if(this.reference.length>0) this.file+='#'+this.reference; - if(this.query.length > 0) this.getArguments(); + if(this.query.length > 0) this.formatArguments(); + + var sid = cookie.read('zbx_sessionid'); + this.setArgument('sid', sid.substring(16)); }, -getArguments: function(){ + +formatQuery: function(){ + if(this.arguments.lenght < 1) return; + + var query = ''; + for(var key in this.arguments){ + if(typeof(this.arguments[key]) != 'undefined'){ + query+=key+'='+this.arguments[key]+'&'; + } + } + this.query = query.substring(0,query.length-1); +}, + +formatArguments: function(){ var args=this.query.split('&'); var keyval=''; - + if(args.length<1) return; - for(i=0;i<args.length;i++){ - keyval=args[i].split('='); - this.arguments[i] = new Array(keyval[0],(keyval.length==1)?keyval[0]:keyval[1]); + for(i=0; i<args.length; i++){ + keyval = args[i].split('='); + this.arguments[keyval[0]] = (keyval.length>1)?keyval[1]:''; } }, -getArgumentValue: function(key){ - if(key.length<1) return ''; - for(i=0; i < this.arguments.length; i++){ - if(this.arguments[i][0] == key) return this.arguments[i][1]; - } - -return ''; +setArgument: function(key,value){ + this.arguments[key] = value; + this.formatQuery(); }, -getArgumentValues: function(){ - var a=new Array(); - var b=this.query.split('&'); - var c=''; - if(b.length<1) return a; - for(i=0;i<b.length;i++){ - c=b[i].split('='); - a[i]=new Array(c[0],((c.length==1)?c[0]:c[1])); - } -return a; +getArgument: function(key){ + if(typeof(this.arguments[key]) != 'undefined') return this.arguments[key]; + else return null; }, +getArguments: function(){ + return this.arguments; +}, + getUrl: function(){ var uri = (this.protocol.length > 0)?(this.protocol+'://'):''; uri += encodeURI((this.username.length > 0)?(this.username):''); @@ -206,51 +218,30 @@ return uri; }, -setArgument: function(key,value){ - - var valueisset = false; - if(typeof(key) == 'undefined') throw 'Invalid argument past for setArgument'; - - value =('undefined' != typeof(value))?value:''; - - for(i=0; i < this.arguments.length; i++){ - if(this.arguments[i][0] == key){ - valueisset = true; - this.arguments[i][1] = value; - } - } - if(!valueisset) this.arguments[this.arguments.length] = new Array(key,value); - this.formatQuery(); +setPort: function(port){ + this.port = port; }, -formatQuery: function(){ - if(this.arguments.lenght < 1) return; - - var query = ''; - for(i=0; i < this.arguments.length; i++){ - query+=this.arguments[i][0]+'='+this.arguments[i][1]+'&'; - } - this.query = query.substring(0,query.length-1); -}, - getPort: function(){ return this.port; }, -setPort: function(port){ - this.port = port; +setQuery: function(query){ + this.query = query; + if(this.query.indexOf('?')>=0){ + this.query= this.query.substring(this.query.indexOf('?')+1); + } + + this.formatArguments(); + + var sid = cookie.read('zbx_sessionid'); + this.setArgument('sid', sid.substring(16)); }, getQuery: function(){ return this.query; }, -setQuery: function(query){ - this.query = query; - this.getArgumentValues(); - this.formatQuery(); -}, - /* Returns the protocol of this URL, i.e. 'http' in the url 'http://server/' */ getProtocol: function(){ return this.protocol; @@ -264,7 +255,7 @@ return this.host; }, -setHost: function(set){ +setHost: function(host){ this.host = host; }, @@ -288,7 +279,7 @@ /* Returns the file part of this url, i.e. everything after the host name. */ getFile: function(){ - return this.file = file; + return this.file; }, setFile: function(file){ Index: frontends/php/js/menu_scripts.js =================================================================== --- frontends/php/js/menu_scripts.js (revision 6643) +++ frontends/php/js/menu_scripts.js (revision 6644) @@ -64,7 +64,7 @@ for(var i=0; i < menu_usrgrp_gui.length; i++){ if((typeof(menu_usrgrp_gui[i]) != 'undefined') && !empty(menu_usrgrp_gui[i])){ var row = menu_usrgrp_gui[i]; - var menu_row = new Array(row.name,"users.php?config=0&form=update&grpaction=1&userid="+userid+"&usrgrpid="+row.usrgrpid); + var menu_row = new Array(row.name,'users.php?config=0&form=update&grpaction=1&userid='+userid+'&usrgrpid='+row.usrgrpid); grp_gui_add_to.push(menu_row); } } @@ -73,7 +73,7 @@ for(var i=0; i < usr_grp_gui_in.length; i++){ if((typeof(usr_grp_all_in[i]) != 'undefined') && !empty(usr_grp_gui_in[i])){ var row = usr_grp_gui_in[i]; - var menu_row = new Array(row.name,"users.php?config=0&form=update&grpaction=0&userid="+userid+"&usrgrpid="+row.usrgrpid); + var menu_row = new Array(row.name,'users.php?config=0&form=update&grpaction=0&userid='+userid+'&usrgrpid='+row.usrgrpid); grp_gui_rmv_frm.push(menu_row); } } @@ -89,7 +89,7 @@ for(var i=0; i < menu_usrgrp_status.length; i++){ if((typeof(menu_usrgrp_status[i]) != 'undefined') && !empty(menu_usrgrp_status[i])){ var row = menu_usrgrp_status[i]; - var menu_row = new Array(row.name,"users.php?config=0&form=update&grpaction=1&userid="+userid+"&usrgrpid="+row.usrgrpid); + var menu_row = new Array(row.name,'users.php?config=0&form=update&grpaction=1&userid='+userid+'&usrgrpid='+row.usrgrpid); grp_status_add_to.push(menu_row); } } @@ -98,7 +98,7 @@ for(var i=0; i < usr_grp_status_in.length; i++){ if((typeof(usr_grp_status_in[i]) != 'undefined') && !empty(usr_grp_status_in[i])){ var row = usr_grp_status_in[i]; - var menu_row = new Array(row.name,"users.php?config=0&form=update&grpaction=0&userid="+userid+"&usrgrpid="+row.usrgrpid); + var menu_row = new Array(row.name,'users.php?config=0&form=update&grpaction=0&userid='+userid+'&usrgrpid='+row.usrgrpid); grp_status_rmv_frm.push(menu_row); } } Index: frontends/php/js/common.js =================================================================== --- frontends/php/js/common.js (revision 6643) +++ frontends/php/js/common.js (revision 6644) @@ -82,6 +82,16 @@ div_help.appendChild(document.createElement("br")); } +function SDJ(obj){ + var debug = ''; + for(var key in obj) { + var value = obj[key]; + debug+=key+': '+value+'\n'; + } + SDI('\n'+debug); +} + + /// Alpha-Betic sorting function addListener(element, eventname, expression, bubbling){ Index: frontends/php/js/ajax_req.js =================================================================== --- frontends/php/js/ajax_req.js (revision 6643) +++ frontends/php/js/ajax_req.js (revision 6644) @@ -20,14 +20,16 @@ function send_params(params){ if(typeof(params) == 'undefined') var params = new Array(); - params['sessionid'] = cookie.read('zbx_sessionid'); var uri = new url(location.href); - new Ajax.Request(uri.getPath()+"?output=ajax", + uri.setQuery('?output=ajax'); + + new Ajax.Request(uri.getUrl(), { 'method': 'post', 'parameters':params, - 'onSuccess': function(resp){ },//alert(resp.responseText); + 'onSuccess': function(resp){ }, +// 'onSuccess': function(resp){ alert(resp.responseText); }, 'onFailure': function(){ document.location = uri.getPath()+'?'+Object.toQueryString(params); } } ); Index: frontends/php/dashboard.php =================================================================== --- frontends/php/dashboard.php (revision 6643) +++ frontends/php/dashboard.php (revision 6644) @@ -54,7 +54,7 @@ 'action'=> array(T_ZBX_STR, O_OPT, P_ACT, IN("'add','remove'"),NULL), 'state'=> array(T_ZBX_INT, O_OPT, P_ACT, NOT_EMPTY, 'isset({favobj}) && ("hat"=={favobj})'), ); - + check_fields($fields); $available_hosts = get_accessible_hosts_by_user($USER_DETAILS,PERM_READ_ONLY, PERM_RES_IDS_ARRAY); @@ -179,11 +179,11 @@ $p_elements = array(); // Header - $url = '?fullscreen='.($_REQUEST['fullscreen']?'0':'1'); + $url = new Curl('?fullscreen='.($_REQUEST['fullscreen']?'0':'1')); $fs_icon = new CDiv(SPACE,'fullscreen'); $fs_icon->AddOption('title',$_REQUEST['fullscreen']?S_NORMAL.' '.S_VIEW:S_FULLSCREEN); - $fs_icon->AddAction('onclick',new CScript("javascript: document.location = '".$url."';")); + $fs_icon->AddAction('onclick',new CScript("javascript: document.location = '".$url->getUrl()."';")); //------------- $left_tab = new CTable(); Index: frontends/php/include/func.inc.php =================================================================== --- frontends/php/include/func.inc.php (revision 6643) +++ frontends/php/include/func.inc.php (revision 6644) @@ -344,6 +344,18 @@ return $pos; } +function zbx_substring($haystack, $start, $end=null){ + if($end < $start) return ''; + + $len = zbx_strlen($haystack); + if(is_null($end)) + $result = substr($haystack, $start); + else + $result = substr($haystack, $start, ($end - $start)); + +return $result; +} + function uint_in_array($needle,$haystack){ foreach($haystack as $id => $value) if(bccomp($needle,$value) == 0) return true; Index: frontends/php/include/screens.inc.php =================================================================== --- frontends/php/include/screens.inc.php (revision 6643) +++ frontends/php/include/screens.inc.php (revision 6644) @@ -886,7 +886,7 @@ $action = 'screenedit.php?form=update'.url_param('screenid').'&x='.$c.'&y='.$r.'#form'; else $action = NULL; - + if($editmode == 1 && isset($_REQUEST["form"]) && isset($_REQUEST["x"]) && $_REQUEST["x"]==$c && isset($_REQUEST["y"]) && $_REQUEST["y"]==$r) Index: frontends/php/include/perm.inc.php =================================================================== --- frontends/php/include/perm.inc.php (revision 6643) +++ frontends/php/include/perm.inc.php (revision 6644) @@ -44,7 +44,7 @@ $USER_DETAILS = NULL; $login = FALSE; - $sessionid = get_request('sessionid',get_cookie('zbx_sessionid')); + $sessionid = get_cookie('zbx_sessionid'); if(!is_null($sessionid)){ $sql = 'SELECT u.*,s.* '. Index: frontends/php/include/config.inc.php =================================================================== --- frontends/php/include/config.inc.php (revision 6643) +++ frontends/php/include/config.inc.php (revision 6644) @@ -65,6 +65,7 @@ require_once('include/classes/cpumenu.inc.php'); require_once('include/classes/graph.inc.php'); require_once('include/classes/cscript.inc.php'); + require_once('include/classes/curl.inc.php'); // Include Tactical Overview modules Index: frontends/php/include/validate.inc.php =================================================================== --- frontends/php/include/validate.inc.php (revision 6643) +++ frontends/php/include/validate.inc.php (revision 6644) @@ -432,8 +432,13 @@ if(!isset($_REQUEST[$field])){ return ZBX_VALID_OK; } - else if(($flags&P_ACT) && !isset($_REQUEST['sessionid'])){ - return ZBX_VALID_ERROR; + else if($flags&P_ACT){ + if(!isset($_REQUEST['sid'])){ + return ZBX_VALID_ERROR; + } + else if(isset($_COOKIE['zbx_sessionid']) && ($_REQUEST['sid'] != substr($_COOKIE['zbx_sessionid'],16,16))){ + return ZBX_VALID_ERROR; + } } } @@ -465,7 +470,7 @@ // VAR TYPE OPTIONAL FLAGS VALIDATION EXCEPTION $system_fields=array( - 'sessionid'=> array(T_ZBX_STR, O_OPT, P_SYS, HEX(), NULL), + 'sid'=> array(T_ZBX_STR, O_OPT, P_SYS, HEX(), NULL), // 'switch_node'=> array(T_ZBX_INT, O_OPT, P_SYS, DB_ID,NULL), 'triggers_hash'=> array(T_ZBX_STR, O_OPT, P_SYS, NOT_EMPTY,NULL), Index: frontends/php/include/classes/clink.inc.php =================================================================== --- frontends/php/include/classes/clink.inc.php (revision 6643) +++ frontends/php/include/classes/clink.inc.php (revision 6644) @@ -19,12 +19,14 @@ **/ ?> <?php - class CLink extends CTag - { + class CLink extends CTag{ /* public */ function CLink($item=NULL,$url=NULL,$class=NULL,$action=NULL){ parent::CTag('a','yes'); - + + $uri = new Curl($url); + $url = $uri->getUrl(); + $this->tag_start= ''; $this->tag_end = ''; $this->tag_body_start = ''; @@ -36,14 +38,14 @@ if(!is_null($action)) $this->SetAction($action); } - function SetAction($value=NULL){ + function setAction($value=NULL){ if(is_null($value)) return $this->options['action'] = $page['file']; return parent::AddAction('onclick', $value); } - function SetUrl($value){ + function setUrl($value){ $this->AddOption('href', $value); } @@ -54,7 +56,7 @@ return null; } - function SetTarget($value=NULL){ + function setTarget($value=NULL){ if(is_null($value)){ unset($this->options['target']); } Index: frontends/php/include/classes/curl.inc.php =================================================================== --- frontends/php/include/classes/curl.inc.php (revision 0) +++ frontends/php/include/classes/curl.inc.php (revision 6644) @@ -0,0 +1,273 @@ +<?php +/* +** ZABBIX +** Copyright (C) 2000-2005 SIA Zabbix +** +** $this program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** $this program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with $this program; if not, write to the Free Software +** Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +**/ +?> +<?php +// Title: url manipulation class +// Author: Aly + +class Curl{ +/* +private $url = ''; // actually, it's depricated/private variable +private $port = false; +private $host = ''; +private $protocol = ''; +private $username = ''; +private $password = ''; +private $filr = ''; +private $reference = ''; +private $path = ''; +private $query = ''; +private $arguments = array(); +//*/ + +function curl($url=null){ + global $USER_DETAILS; + + $this->url = ''; // actually, it's depricated/private variable + $this->port = false; + $this->host = ''; + $this->protocol = ''; + $this->username = ''; + $this->password = ''; + $this->filr = ''; + $this->reference = ''; + $this->path = ''; + $this->query = ''; + $this->arguments = array(); + + if(empty($url)){ + $this->formatArguments(); + $this->url = $url = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME'].'?'.$this->getQuery(); + } + else{ + $this->url=urldecode($url); + + $tmp_pos = strpos($this->url,'?'); + $this->query=($tmp_pos!==false)?(substr($this->url,$tmp_pos+1)):''; + + $tmp_pos = strpos($this->query,'#'); + if($tmp_pos!==false) $this->query=zbx_substring($this->query,0,$tmp_pos); + + $this->formatArguments($this->query); + } + + $protocolSepIndex=strpos($this->url,'://'); + if($protocolSepIndex!==false){ + $this->protocol= strtolower(zbx_substring($this->url,0,$protocolSepIndex)); + + $this->host=substr($this->url, $protocolSepIndex+3); + + $tmp_pos = strpos($this->host,'/'); + if($tmp_pos!==false) $this->host=zbx_substring($this->host,0,$tmp_pos); + + $atIndex=strpos($this->host,'@'); + if($atIndex!==false){ + $credentials=zbx_substring($this->host,0,$atIndex); + + $colonIndex=strpos(credentials,':'); + if($colonIndex!==false){ + $this->username=zbx_substring($credentials,0,$colonIndex); + $this->password=substr($credentials,$colonIndex); + } + else{ + $this->username=$credentials; + } + $this->host=substr($this->host,$atIndex+1); + } + + $host_ipv6 = strpos($this->host,']'); + if($host_ipv6!==false){ + if($host_ipv6 < (zbx_strlen($this->host)-1)){ + $host_ipv6++; + $host_less = substr($this->host,$host_ipv6); + + $portColonIndex=strpos($host_less,':'); + if($portColonIndex!==false){ + $this->host=zbx_substring($this->host,0,$host_ipv6); + $this->port=substr($host_less,$portColonIndex+1); + } + } + } + else{ + $portColonIndex=strpos($this->host,':'); + if($portColonIndex!==false){ + $this->host=zbx_substring($this->host,0,$portColonIndex); + $this->port=substr($this->host,$portColonIndex+1); + } + } + + $this->file = substr($this->url,$protocolSepIndex+3); + $this->file = substr($this->file, strpos($this->file,'/')); + } + else{ + $this->file = $this->url; + } + + $tmp_pos = strpos($this->file,'?'); + if($tmp_pos!==false) $this->file=zbx_substring($this->file, 0, $tmp_pos); + + $refSepIndex=strpos($url,'#'); + if($refSepIndex!==false){ + $this->file = zbx_substring($this->file,0,$refSepIndex); + $this->reference = substr($url,strpos($url,'#')+1); + } + + $this->path=$this->file; + if(zbx_strlen($this->query)>0) $this->file.='?'.$this->query; + if(zbx_strlen($this->reference)>0) $this->file.='#'.$this->reference; + + if(isset($_COOKIE['zbx_sessionid'])) + $this->setArgument('sid', substr($_COOKIE['zbx_sessionid'],16,16)); +} + +function formatQuery(){ + $query = ''; + foreach($this->arguments as $key => $value){ + $query.= $key.'='.$value.'&'; + } + $this->query = rtrim($query,'&'); +} + +function formatArguments($query=null){ + if(is_null($query)){ + $this->arguments = $_REQUEST; + } + else{ + $query=ltrim($query,'?'); + $args = explode('&',$query); + foreach($args as $id => $arg){ + if(empty($arg)) continue; + + $tmp = explode('=',$arg); + $this->arguments[$tmp[0]] = isset($tmp[1])?$tmp[1]:''; + } + } + $this->formatQuery(); +} + +function getUrl(){ + $url = (zbx_strlen($this->protocol) > 0)?($this->protocol.'://'):''; + $url .= (zbx_strlen($this->username) > 0)?$this->username:''; + $url .= (zbx_strlen($this->password) > 0)?':'.$this->password:''; + $url .= (zbx_strlen($this->host) > 0)?$this->host:''; + $url .= $this->port?(':'.$this->port):''; + $url .= (zbx_strlen($this->path) > 0)?$this->path:''; + $url .= (zbx_strlen($this->query) > 0)?('?'.$this->query):''; + $url .= (zbx_strlen($this->reference) > 0)?('#'.urlencode($this->reference)):''; + +//SDI($this->getProtocol().' : '.$this->getHost().' : '.$this->getPort().' : '.$this->getPath().' : '.$this->getQuery()); +return $url; +} + +function setPort($port){ + $this->port = $port; +} + +function getPort(){ + return $this->port; +} + +function setArgument($key,$value=''){ + $this->arguments[$key] = $value; + $this->formatQuery(); +} + +function getArgument($key){ + if(isset($this->arguments[$key])) return $this->arguments[$key]; + else return NULL; +} + +function setQuery($query){ + $this->query = $query; + $this->formatArguments(); + $this->formatQuery(); +} + +function getQuery(){ + return $this->query; +} + +function setProtocol($protocol){ + $this->protocol = $protocol; +} + +/* Returns the protocol of $this URL, i.e. 'http' in the url 'http://server/' */ +function getProtocol(){ + return $this->protocol; +} + +function setHost($host){ + $this->host = $host; +} + +/* Returns the host name of $this URL, i.e. 'server.com' in the url 'http://server.com/' */ +function getHost(){ + return $this->host; +} + +function setUserName($username){ + $this->username = $username; +} + +/* Returns the user name part of $this URL, i.e. 'joe' in the url 'http://joe@server.com/' */ +function getUserName(){ + return $this->username; +} + +function setPassword($password){ + $this->password = $password; +} + +/* Returns the password part of $this url, i.e. 'secret' in the url 'http://joe:secret@server.com/' */ +function getPassword(){ + return $this->password; +} + +function setFile($file){ + $this->file = $file; +} + +/* Returns the file part of $this url, i.e. everything after the host name. */ +function getFile(){ + return $this->file; +} + +function setReference($reference){ + $this->reference = $reference; +} + +/* Returns the reference of $this url, i.e. 'bookmark' in the url 'http://server/file.html#bookmark' */ +function getReference(){ + return $this->reference; +} + +function setPath($path){ + $this->path = $path; +} + +/* Returns the file path of $this url, i.e. '/dir/file.html' in the url 'http://server/dir/file.html' */ +function getPath(){ + return $this->path; +} + +function toString(){ + return $this->getUrl(); +} +} \ No newline at end of file Index: frontends/php/include/classes/cform.inc.php =================================================================== --- frontends/php/include/classes/cform.inc.php (revision 6643) +++ frontends/php/include/classes/cform.inc.php (revision 6644) @@ -28,7 +28,7 @@ $this->setEnctype($enctype); if(isset($_COOKIE['zbx_sessionid'])) - $this->addVar('sessionid', $_COOKIE['zbx_sessionid']); + $this->addVar('sid', substr($_COOKIE['zbx_sessionid'],16,16)); } function setMethod($value='post'){ Index: frontends/php/include/classes/ctag.inc.php =================================================================== --- frontends/php/include/classes/ctag.inc.php (revision 6643) +++ frontends/php/include/classes/ctag.inc.php (revision 6644) @@ -1,7 +1,7 @@ <?php /* ** ZABBIX -** Copyright (C) 2000-2005 SIA Zabbix +** Copyright (C) 2000-2009 SIA Zabbix ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License as published by @@ -19,272 +19,258 @@ **/ ?> <?php - function destroy_objects() - { - global $GLOBALS; - - if(isset($GLOBALS)) foreach($GLOBALS as $name => $value) - { - if(!is_object($GLOBALS[$name])) continue; - unset($GLOBALS[$name]); - } +function destroy_objects(){ + if(isset($GLOBALS)) foreach($GLOBALS as $name => $value){ + if(!is_object($GLOBALS[$name])) continue; + unset($GLOBALS[$name]); } - - function unpack_object(&$item) - { - $res = ""; +} - if(is_object($item)) - { - $res = $item->ToString(false); - } - elseif(is_array($item)) - { - foreach($item as $id => $dat) - $res .= unpack_object($item[$id]); // Attention, recursion !!! - } - elseif(!is_null($item)) - { - $res = strval($item); - unset($item); - } - return $res; +function unpack_object(&$item){ + $res = ''; + + if(is_object($item)){ + $res = $item->toString(false); } + else if(is_array($item)){ + foreach($item as $id => $dat) + $res .= unpack_object($item[$id]); // Attention, recursion !!! + } + else if(!is_null($item)){ + $res = strval($item); + unset($item); + } +return $res; +} - function implode_objects($glue, &$pieces) - { - if( !is_array($pieces) ) return unpack_object($pieces); +function implode_objects($glue, &$pieces){ + if( !is_array($pieces) ) return unpack_object($pieces); - foreach($pieces as $id => $piece) - $pieces[$id] = unpack_object($piece); + foreach($pieces as $id => $piece) + $pieces[$id] = unpack_object($piece); - return implode($glue, $pieces); - } +return implode($glue, $pieces); +} - class CObject - { - function CObject($items=null) - { - $this->items = array(); - if(isset($items)) - { - $this->AddItem($items); - } +class CObject{ + function CObject($items=null){ + $this->items = array(); + if(isset($items)){ + $this->addItem($items); } - - function ToString($destroy=true) - { - $res = implode('',$this->items); - if($destroy) $this->Destroy(); - return $res; - } + } + + function toString($destroy=true){ + $res = implode('',$this->items); + if($destroy) $this->destroy(); + return $res; + } - function Show($destroy=true){ - echo $this->ToString($destroy); - } + function show($destroy=true){ + echo $this->toString($destroy); + } - function Destroy() - { + function destroy(){ // TODO Problem under PHP 5.0 "Fatal error: Cannot re-assign $this in ..." // $this = null; - $this->CleanItems(); - } + $this->cleanItems(); + } - function CleanItems(){ - $this->items = array(); + function cleanItems(){ + $this->items = array(); + } + + function itemsCount(){ + return count($this->items); + } + + function addItem($value){ + + if(is_object($value)){ + array_push($this->items,unpack_object($value)); } - - function ItemsCount(){ - return count($this->items); + else if(is_string($value)){ + array_push($this->items,str_replace(array('<','>','"'),array('<','>','"'),$value)); +// array_push($this->items,htmlspecialchars($value)); } - - function AddItem($value){ - - if(is_object($value)){ - array_push($this->items,unpack_object($value)); + else if(is_array($value)){ + foreach($value as $item){ + $this->addItem($item); // Attention, recursion !!! } - else if(is_string($value)){ - array_push($this->items,str_replace(array('<','>','"'),array('<','>','"'),$value)); -// array_push($this->items,htmlspecialchars($value)); - } - else if(is_array($value)){ - foreach($value as $item){ - $this->AddItem($item); // Attention, recursion !!! - } - } - else if(!is_null($value)){ - array_push($this->items,unpack_object($value)); - } } + else if(!is_null($value)){ + array_push($this->items,unpack_object($value)); + } } +} - class CTag extends CObject{ +class CTag extends CObject{ /* private *//* - var $tagname; - var $options = array(); - var $paired;*/ + var $tagname; + var $options = array(); + var $paired;*/ /* protected *//* - var $items = array(); + var $items = array(); - var $tag_body_start; - var $tag_body_end; - var $tag_start; - var $tag_end;*/ + var $tag_body_start; + var $tag_body_end; + var $tag_start; + var $tag_end;*/ /* public */ - function CTag($tagname=NULL, $paired='no', $body=NULL, $class=null){ - parent::CObject(); + function CTag($tagname=NULL, $paired='no', $body=NULL, $class=null){ + parent::CObject(); - $this->options = array(); + $this->options = array(); - if(!is_string($tagname)){ - return $this->error('Incorrect tagname for CTag ['.$tagname.']'); - } - - $this->tagname = $tagname; - $this->paired = $paired; - - $this->tag_start = $this->tag_end = $this->tag_body_start = $this->tag_body_end = ''; - - if(is_null($body)){ - $this->tag_end = $this->tag_body_start = "\n"; - } - else{ - CTag::AddItem($body); - } - - $this->SetClass($class); + if(!is_string($tagname)){ + return $this->error('Incorrect tagname for CTag ['.$tagname.']'); } - function ShowStart() { echo $this->StartToString(); } - function ShowBody() { echo $this->BodyToString(); } - function ShowEnd() { echo $this->EndToString(); } + $this->tagname = $tagname; + $this->paired = $paired; - function StartToString(){ - $res = $this->tag_start.'<'.$this->tagname; - foreach($this->options as $key => $value){ - $res .= ' '.$key.'="'.$value.'"'; - } - $res .= ($this->paired=='yes')?'>':' />'; - return $res; - } + $this->tag_start = $this->tag_end = $this->tag_body_start = $this->tag_body_end = ''; - function BodyToString(){ - $res = $this->tag_body_start; - return $res.parent::ToString(false); - - /*foreach($this->items as $item) - $res .= $item; - return $res;*/
Responsible Changed From-To: freebsd-ports-bugs->miwi miwi@ wants his PRs (via the GNATS Auto Assign Tool)
Maintainer of net-mgmt/zabbix, Please note that PR ports/132944 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/132944 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
miwi 2009-03-23 15:06:19 UTC FreeBSD ports repository Modified files: net-mgmt/zabbix Makefile pkg-plist net-mgmt/zabbix-agent Makefile Added files: net-mgmt/zabbix/files patch-USH-162.1 patch-USH-162.2 Log: - Fix zabbix -- php frontend multiple vulnerabilities Note: Input appended to and passed via the "extlang" parameter to the "calc_exp2()" function in include/validate.inc.php is not properly sanitised before being used. This can be exploited to inject and execute arbitrary PHP code. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create users by enticing a logged in administrator to visit a malicious web page. Input passed to the "srclang" parameter in locales.php (when "next" is set to a non-NULL value) is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes. - Bump PORTREVISION PR: 132944 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> (many thanks!) Approved by: maintainer timeout (security 1 day) Security: http://www.vuxml.org/freebsd/03140526-1250-11de-a964-0030843d3802.html Revision Changes Path 1.25 +1 -2 ports/net-mgmt/zabbix-agent/Makefile 1.61 +2 -2 ports/net-mgmt/zabbix/Makefile 1.1 +135 -0 ports/net-mgmt/zabbix/files/patch-USH-162.1 (new) 1.1 +2622 -0 ports/net-mgmt/zabbix/files/patch-USH-162.2 (new) 1.20 +2 -2 ports/net-mgmt/zabbix/pkg-plist _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed. Many thanks for your good job! Thanks!