Skip to content

Commit a80884d

Browse files
fix(security): wrap AJAX URL params with encodeURIComponent
Prevents open redirect via URL manipulation in JS filter forms. Affects thold.php, thold_graph.php, notify_lists.php, notify_queue.php, thold_templates.php, and thold_webapi.php. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
1 parent 15fc4eb commit a80884d

6 files changed

Lines changed: 68 additions & 59 deletions

File tree

notify_lists.php

Lines changed: 22 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -147,6 +147,15 @@ function form_actions() {
147147

148148
// ================= input validation =================
149149
get_filter_request_var('drp_action');
150+
151+
$valid_actions = array_keys($actions + $assoc_actions);
152+
153+
if (!in_array(get_request_var('drp_action'), $valid_actions, true) &&
154+
!in_array((int) get_request_var('drp_action'), $valid_actions, true)) {
155+
raise_message(40);
156+
header('Location: notify_lists.php');
157+
exit;
158+
}
150159
// ====================================================
151160

152161
// if we are to save this form, instead of display it
@@ -1181,11 +1190,11 @@ function hosts($header_label) {
11811190

11821191
function applyFilter() {
11831192
strURL = '?header=false&action=edit&id=<?php print get_request_var('id'); ?>'
1184-
strURL += '&rows=' + $('#rows').val();
1185-
strURL += '&host_template_id=' + $('#host_template_id').val();
1186-
strURL += '&site_id=' + $('#site_id').val();
1193+
strURL += '&rows=' + encodeURIComponent($('#rows').val());
1194+
strURL += '&host_template_id=' + encodeURIComponent($('#host_template_id').val());
1195+
strURL += '&site_id=' + encodeURIComponent($('#site_id').val());
11871196
strURL += '&associated=' + $('#associated').is(':checked');
1188-
strURL += '&rfilter=' + base64_encode($('#rfilter').val());
1197+
strURL += '&rfilter=' + encodeURIComponent(base64_encode($('#rfilter').val()));
11891198
loadPageNoHeader(strURL);
11901199
}
11911200

@@ -1551,11 +1560,11 @@ function tholds($header_label) {
15511560
function applyFilter() {
15521561
strURL = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print get_request_var('id'); ?>'
15531562
strURL += '&associated=' + $('#associated').is(':checked');
1554-
strURL += '&state=' + $('#state').val();
1555-
strURL += '&site_id=' + $('#site_id').val();
1556-
strURL += '&rows=' + $('#rows').val();
1557-
strURL += '&template=' + $('#template').val();
1558-
strURL += '&rfilter=' + base64_encode($('#rfilter').val());
1563+
strURL += '&state=' + encodeURIComponent($('#state').val());
1564+
strURL += '&site_id=' + encodeURIComponent($('#site_id').val());
1565+
strURL += '&rows=' + encodeURIComponent($('#rows').val());
1566+
strURL += '&template=' + encodeURIComponent($('#template').val());
1567+
strURL += '&rfilter=' + encodeURIComponent(base64_encode($('#rfilter').val()));
15591568
loadPageNoHeader(strURL);
15601569
}
15611570

@@ -1840,8 +1849,8 @@ function templates($header_label) {
18401849
function applyFilter() {
18411850
strURL = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print get_request_var('id'); ?>'
18421851
strURL += '&associated=' + $('#associated').is(':checked');
1843-
strURL += '&rows=' + $('#rows').val();
1844-
strURL += '&rfilter=' + base64_encode($('#rfilter').val());
1852+
strURL += '&rows=' + encodeURIComponent($('#rows').val());
1853+
strURL += '&rfilter=' + encodeURIComponent(base64_encode($('#rfilter').val()));
18451854
loadPageNoHeader(strURL);
18461855
}
18471856

@@ -2159,8 +2168,8 @@ function lists() {
21592168

21602169
function applyFilter() {
21612170
strURL = 'notify_lists.php?header=false';
2162-
strURL += '&rows=' + $('#rows').val();
2163-
strURL += '&rfilter=' + base64_encode($('#rfilter').val());
2171+
strURL += '&rows=' + encodeURIComponent($('#rows').val());
2172+
strURL += '&rfilter=' + encodeURIComponent(base64_encode($('#rfilter').val()));
21642173
loadPageNoHeader(strURL);
21652174
}
21662175

notify_queue.php

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -318,10 +318,10 @@ function notify_queue() {
318318

319319
function applyFilter() {
320320
strURL = 'notify_queue.php?header=false';
321-
strURL += '&filter='+$('#filter').val();
322-
strURL += '&rows='+$('#rows').val();
323-
strURL += '&processed='+$('#processed').val();
324-
strURL += '&topic='+$('#topic').val();
321+
strURL += '&filter='+encodeURIComponent($('#filter').val());
322+
strURL += '&rows='+encodeURIComponent($('#rows').val());
323+
strURL += '&processed='+encodeURIComponent($('#processed').val());
324+
strURL += '&topic='+encodeURIComponent($('#topic').val());
325325
loadPageNoHeader(strURL);
326326
}
327327

thold.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -769,12 +769,12 @@ function list_tholds() {
769769

770770
function applyFilter() {
771771
strURL = 'thold.php?header=false&host_id=' + $('#host_id').val();
772-
strURL += '&state=' + $('#state').val();
773-
strURL += '&thold_template_id=' + $('#thold_template_id').val();
774-
strURL += '&data_template_id=' + $('#data_template_id').val();
775-
strURL += '&site_id=' + $('#site_id').val();
776-
strURL += '&rows=' + $('#rows').val();
777-
strURL += '&rfilter=' + base64_encode($('#rfilter').val());
772+
strURL += '&state=' + encodeURIComponent($('#state').val());
773+
strURL += '&thold_template_id=' + encodeURIComponent($('#thold_template_id').val());
774+
strURL += '&data_template_id=' + encodeURIComponent($('#data_template_id').val());
775+
strURL += '&site_id=' + encodeURIComponent($('#site_id').val());
776+
strURL += '&rows=' + encodeURIComponent($('#rows').val());
777+
strURL += '&rfilter=' + encodeURIComponent(base64_encode($('#rfilter').val()));
778778
loadPageNoHeader(strURL);
779779
}
780780

thold_graph.php

Lines changed: 26 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -258,13 +258,13 @@ function form_thold_filter() {
258258

259259
function applyFilter() {
260260
strURL = 'thold_graph.php?header=false&action=thold';
261-
strURL += '&state=' + $('#state').val();
262-
strURL += '&thold_template_id=' + $('#thold_template_id').val();
263-
strURL += '&data_template_id=' + $('#data_template_id').val();
264-
strURL += '&host_id=' + $('#host_id').val();
265-
strURL += '&site_id=' + $('#site_id').val();
266-
strURL += '&rows=' + $('#rows').val();
267-
strURL += '&rfilter=' + base64_encode($('#rfilter').val());
261+
strURL += '&state=' + encodeURIComponent($('#state').val());
262+
strURL += '&thold_template_id=' + encodeURIComponent($('#thold_template_id').val());
263+
strURL += '&data_template_id=' + encodeURIComponent($('#data_template_id').val());
264+
strURL += '&host_id=' + encodeURIComponent($('#host_id').val());
265+
strURL += '&site_id=' + encodeURIComponent($('#site_id').val());
266+
strURL += '&rows=' + encodeURIComponent($('#rows').val());
267+
strURL += '&rfilter=' + encodeURIComponent(base64_encode($('#rfilter').val()));
268268
loadPageNoHeader(strURL);
269269
}
270270

@@ -1268,11 +1268,11 @@ function form_host_filter() {
12681268

12691269
function applyFilter() {
12701270
strURL = 'thold_graph.php?header=false&action=hoststat';
1271-
strURL += '&host_status=' + $('#host_status').val();
1272-
strURL += '&host_template_id=' + $('#host_template_id').val();
1273-
strURL += '&site_id=' + $('#site_id').val();
1274-
strURL += '&rows=' + $('#rows').val();
1275-
strURL += '&rfilter=' + base64_encode($('#rfilter').val());
1271+
strURL += '&host_status=' + encodeURIComponent($('#host_status').val());
1272+
strURL += '&host_template_id=' + encodeURIComponent($('#host_template_id').val());
1273+
strURL += '&site_id=' + encodeURIComponent($('#site_id').val());
1274+
strURL += '&rows=' + encodeURIComponent($('#rows').val());
1275+
strURL += '&rfilter=' + encodeURIComponent(base64_encode($('#rfilter').val()));
12761276
loadPageNoHeader(strURL);
12771277
}
12781278

@@ -1734,13 +1734,13 @@ function form_thold_log_filter() {
17341734

17351735
function applyFilter() {
17361736
strURL = 'thold_graph.php?header=false&action=log';
1737-
strURL += '&status=' + $('#status').val();
1738-
strURL += '&threshold_id=' + $('#threshold_id').val();
1739-
strURL += '&thold_template_id=' + $('#thold_template_id').val();
1740-
strURL += '&host_id=' + $('#host_id').val();
1741-
strURL += '&site_id=' + $('#site_id').val();
1742-
strURL += '&rows=' + $('#rows').val();
1743-
strURL += '&rfilter=' + base64_encode($('#rfilter').val());
1737+
strURL += '&status=' + encodeURIComponent($('#status').val());
1738+
strURL += '&threshold_id=' + encodeURIComponent($('#threshold_id').val());
1739+
strURL += '&thold_template_id=' + encodeURIComponent($('#thold_template_id').val());
1740+
strURL += '&host_id=' + encodeURIComponent($('#host_id').val());
1741+
strURL += '&site_id=' + encodeURIComponent($('#site_id').val());
1742+
strURL += '&rows=' + encodeURIComponent($('#rows').val());
1743+
strURL += '&rfilter=' + encodeURIComponent(base64_encode($('#rfilter').val()));
17441744
loadPageNoHeader(strURL);
17451745
}
17461746

@@ -1751,13 +1751,13 @@ function clearFilter() {
17511751

17521752
function exportLog() {
17531753
strURL = 'thold_graph.php?action=exportlog';
1754-
strURL += '&status=' + $('#status').val();
1755-
strURL += '&threshold_id=' + $('#threshold_id').val();
1756-
strURL += '&thold_template_id=' + $('#thold_template_id').val();
1757-
strURL += '&host_id=' + $('#host_id').val();
1758-
strURL += '&site_id=' + $('#site_id').val();
1759-
strURL += '&rows=' + $('#rows').val();
1760-
strURL += '&rfilter=' + base64_encode($('#rfilter').val());
1754+
strURL += '&status=' + encodeURIComponent($('#status').val());
1755+
strURL += '&threshold_id=' + encodeURIComponent($('#threshold_id').val());
1756+
strURL += '&thold_template_id=' + encodeURIComponent($('#thold_template_id').val());
1757+
strURL += '&host_id=' + encodeURIComponent($('#host_id').val());
1758+
strURL += '&site_id=' + encodeURIComponent($('#site_id').val());
1759+
strURL += '&rows=' + encodeURIComponent($('#rows').val());
1760+
strURL += '&rfilter=' + encodeURIComponent(base64_encode($('#rfilter').val()));
17611761
document.location = strURL;
17621762
Pace.stop();
17631763
}

thold_templates.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2186,7 +2186,7 @@ function templates() {
21862186

21872187
function applyFilter() {
21882188
strURL = 'thold_templates.php?header=false&rows=' + $('#rows').val();
2189-
strURL += '&filter=' + $('#filter').val();
2189+
strURL += '&filter=' + encodeURIComponent($('#filter').val());
21902190
loadPageNoHeader(strURL);
21912191
}
21922192

thold_webapi.php

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -793,39 +793,39 @@ function thold_wizard() {
793793

794794
function applyTholdFilter() {
795795
strURL = 'thold.php?action=add&header=false';
796-
strURL += '&type_id=' + $('#type_id').val();
796+
strURL += '&type_id=' + encodeURIComponent($('#type_id').val());
797797

798798
if ($('#type_id').val() == 'thold') {
799799
if ($('#my_host_id').length && $('#my_host_id').val() > 0) {
800-
strURL += '&my_host_id=' + $('#my_host_id').val();
800+
strURL += '&my_host_id=' + encodeURIComponent($('#my_host_id').val());
801801
}
802802

803803
if ($('#local_graph_id').length && $('#local_graph_id').val() > 0) {
804-
strURL += '&local_graph_id=' + $('#local_graph_id').val();
804+
strURL += '&local_graph_id=' + encodeURIComponent($('#local_graph_id').val());
805805
}
806806

807807
if ($('#data_template_rrd_id').length && $('#data_template_rrd_id').val() > 0) {
808-
strURL += '&data_template_rrd_id=' + $('#data_template_rrd_id').val();
808+
strURL += '&data_template_rrd_id=' + encodeURIComponent($('#data_template_rrd_id').val());
809809
}
810810
} else {
811811
if ($('#thold_template_id').length && $('#thold_template_id').val() > 0) {
812-
strURL += '&thold_template_id=' + $('#thold_template_id').val();
812+
strURL += '&thold_template_id=' + encodeURIComponent($('#thold_template_id').val());
813813
}
814814

815815
if ($('#graph_template_id').length && $('#graph_template_id').val() > 0) {
816-
strURL += '&graph_template_id=' + $('#graph_template_id').val();
816+
strURL += '&graph_template_id=' + encodeURIComponent($('#graph_template_id').val());
817817
}
818818

819819
if ($('#data_query_id').length && $('#data_query_id').val() > 0) {
820-
strURL += '&data_query_id=' + $('#data_query_id').val();
820+
strURL += '&data_query_id=' + encodeURIComponent($('#data_query_id').val());
821821
}
822822

823823
if ($('#data_template_id').length && $('#data_template_id').val() > 0) {
824-
strURL += '&data_template_id=' + $('#data_template_id').val();
824+
strURL += '&data_template_id=' + encodeURIComponent($('#data_template_id').val());
825825
}
826826

827827
if ($('#my_host_id').length && $('#my_host_id').val() != 0) {
828-
strURL += '&my_host_id=' + $('#my_host_id').val();
828+
strURL += '&my_host_id=' + encodeURIComponent($('#my_host_id').val());
829829
}
830830

831831
if ($('#snmp_index').length && $('#snmp_index').val() != '') {

0 commit comments

Comments
 (0)