Skip to content

Commit 9cbd266

Browse files
fix(validation): add gfrv() calls for id and action fields in bulk handlers
All three action-save blocks (save_associate, save_templates, save_tholds) now call get_filter_request_var() for id, notification_action, notification_warning_action, and notification_alert_action before consuming those values via get_request_var() in prepared-statement params. Add inline comment on all RLIKE db_qstr() sites documenting the dual guard: FILTER_VALIDATE_IS_REGEX pre-validates; db_qstr() SQL-escapes. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
1 parent 9eee922 commit 9cbd266

1 file changed

Lines changed: 15 additions & 0 deletions

File tree

notify_lists.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -255,7 +255,10 @@ function form_actions() {
255255

256256
if (isset_request_var('save_associate')) {
257257
if ($selected_items != false) {
258+
get_filter_request_var('id');
258259
get_filter_request_var('notification_action');
260+
get_filter_request_var('notification_warning_action');
261+
get_filter_request_var('notification_alert_action');
259262

260263
if (get_request_var('drp_action') == '1') { // associate
261264
for ($i = 0; ($i < cacti_sizeof($selected_items)); $i++) {
@@ -397,7 +400,10 @@ function form_actions() {
397400

398401
if (isset_request_var('save_templates')) {
399402
if ($selected_items != false) {
403+
get_filter_request_var('id');
400404
get_filter_request_var('notification_action');
405+
get_filter_request_var('notification_warning_action');
406+
get_filter_request_var('notification_alert_action');
401407

402408
if (get_request_var('drp_action') == '1') { // associate
403409
for ($i = 0; ($i < cacti_sizeof($selected_items)); $i++) {
@@ -484,7 +490,10 @@ function form_actions() {
484490

485491
if (isset_request_var('save_tholds')) {
486492
if ($selected_items != false) {
493+
get_filter_request_var('id');
487494
get_filter_request_var('notification_action');
495+
get_filter_request_var('notification_warning_action');
496+
get_filter_request_var('notification_alert_action');
488497

489498
if (get_request_var('drp_action') == '1') { // associate
490499
for ($i = 0; ($i < cacti_sizeof($selected_items)); $i++) {
@@ -1449,6 +1458,8 @@ function tholds($header_label) {
14491458
}
14501459

14511460
if (strlen(get_request_var('rfilter'))) {
1461+
// rfilter is pre-validated as a legal PHP regex by FILTER_VALIDATE_IS_REGEX in the
1462+
// request validation array; db_qstr() SQL-escapes the already-validated value.
14521463
$sql_where .= (!strlen($sql_where) ? '' : ' AND ') . 'td.name_cache RLIKE ' . db_qstr(get_request_var('rfilter'));
14531464
}
14541465

@@ -1789,6 +1800,8 @@ function templates($header_label) {
17891800
}
17901801

17911802
if (strlen(get_request_var('rfilter'))) {
1803+
// rfilter is pre-validated as a legal PHP regex by FILTER_VALIDATE_IS_REGEX in the
1804+
// request validation array; db_qstr() SQL-escapes the already-validated value.
17921805
$sql_where .= (!strlen($sql_where) ? 'WHERE ' : ' AND ') . 'thold_template.name RLIKE ' . db_qstr(get_request_var('rfilter'));
17931806
}
17941807

@@ -2193,6 +2206,8 @@ function clearFilter() {
21932206

21942207
// form the 'where' clause for our main sql query
21952208
if (strlen(get_request_var('rfilter'))) {
2209+
// rfilter is pre-validated as a legal PHP regex by FILTER_VALIDATE_IS_REGEX in the
2210+
// request validation array; db_qstr() SQL-escapes the already-validated value.
21962211
$sql_where = 'WHERE (
21972212
name RLIKE ' . db_qstr(get_request_var('rfilter')) . '
21982213
OR description RLIKE ' . db_qstr(get_request_var('rfilter')) . '

0 commit comments

Comments
 (0)