hardening: re-apply db_qstr and sanitize_unserialize after linter revert

somethingwithproof · somethingwithproof · commit b995bae36cfc · 2026-03-20T01:58:53.000-07:00
Linter reverted thold_graph.php and thold_webapi.php changes from the
previous commit. Re-apply: db_qstr() for all RLIKE patterns in thold_graph,
sanitize_unserialize_selected_items in thold_webapi.

Signed-off-by: Thomas Vincent &lt;thomasvincent@gmail.com&gt;
diff --git a/thold_graph.php b/thold_graph.php
@@ -404,7 +404,7 @@ function tholds() {
 	$statefilter = thold_get_state_filter(get_request_var('state'));
 
 	if (get_request_var('rfilter') != '') {
-		$sql_where .= ($sql_where == '' ? '(' : ' AND ') . " td.name_cache RLIKE '" . get_request_var('rfilter') . "'";
+		$sql_where .= ($sql_where == '' ? '(' : ' AND ') . ' td.name_cache RLIKE ' . db_qstr(get_request_var('rfilter'));
 	}
 
 	if (get_request_var('data_template_id') != '-1') {
@@ -936,9 +936,8 @@ function hosts() {
 	$sql_where = '';
 
 	if (get_request_var('rfilter') != '') {
-		$sql_where .= " (h.deleted = ''
-			AND (h.hostname RLIKE '" . get_request_var('rfilter') . "'
-			OR h.description RLIKE '" . get_request_var('rfilter') . "')";
+		$sql_where .= " (h.deleted = '' AND (h.hostname RLIKE " . db_qstr(get_request_var('rfilter')) .
+			' OR h.description RLIKE ' . db_qstr(get_request_var('rfilter')) . ')';
 	}
 
 	if (get_request_var('host_status') == '-1') {
@@ -1395,7 +1394,7 @@ function thold_export_log() {
 	}
 
 	if (get_request_var('rfilter') != '') {
-		$sql_where .= ($sql_where == '' ? '' : ' AND') . " tl.description RLIKE '" . get_request_var('rfilter') . "'";
+		$sql_where .= ($sql_where == '' ? '' : ' AND') . ' tl.description RLIKE ' . db_qstr(get_request_var('rfilter'));
 	}
 
 	$sql_order  = '';
@@ -1490,7 +1489,7 @@ function thold_show_log() {
 	}
 
 	if (get_request_var('rfilter') != '') {
-		$sql_where .= ($sql_where == '' ? '' : ' AND') . " tl.description RLIKE '" . get_request_var('rfilter') . "'";
+		$sql_where .= ($sql_where == '' ? '' : ' AND') . ' tl.description RLIKE ' . db_qstr(get_request_var('rfilter'));
 	}
 
 	$sql_order = get_order_string();
diff --git a/thold_webapi.php b/thold_webapi.php
@@ -861,7 +861,7 @@ function applyTholdFilter() {
 function thold_new_graphs_save($host_id) {
 	$return_array = false;
 
-	$selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array')));
+	$selected_graphs_array = sanitize_unserialize_selected_items(get_nfilter_request_var('selected_graphs_array'));
 
 	$values = [];
 

Original file line number	Diff line number	Diff line change
`@@ -404,7 +404,7 @@ function tholds() {`
`404`	`404`	`$statefilter = thold_get_state_filter(get_request_var('state'));`
`405`	`405`
`406`	`406`	`if (get_request_var('rfilter') != '') {`
`407`		`- $sql_where .= ($sql_where == '' ? '(' : ' AND ') . " td.name_cache RLIKE '" . get_request_var('rfilter') . "'";`
	`407`	`+ $sql_where .= ($sql_where == '' ? '(' : ' AND ') . ' td.name_cache RLIKE ' . db_qstr(get_request_var('rfilter'));`
`408`	`408`	`}`
`409`	`409`
`410`	`410`	`if (get_request_var('data_template_id') != '-1') {`
`@@ -936,9 +936,8 @@ function hosts() {`
`936`	`936`	`$sql_where = '';`
`937`	`937`
`938`	`938`	`if (get_request_var('rfilter') != '') {`
`939`		`- $sql_where .= " (h.deleted = ''`
`940`		`- AND (h.hostname RLIKE '" . get_request_var('rfilter') . "'`
`941`		`- OR h.description RLIKE '" . get_request_var('rfilter') . "')";`
	`939`	`+ $sql_where .= " (h.deleted = '' AND (h.hostname RLIKE " . db_qstr(get_request_var('rfilter')) .`
	`940`	`+ ' OR h.description RLIKE ' . db_qstr(get_request_var('rfilter')) . ')';`
`942`	`941`	`}`
`943`	`942`
`944`	`943`	`if (get_request_var('host_status') == '-1') {`
`@@ -1395,7 +1394,7 @@ function thold_export_log() {`
`1395`	`1394`	`}`
`1396`	`1395`
`1397`	`1396`	`if (get_request_var('rfilter') != '') {`
`1398`		`- $sql_where .= ($sql_where == '' ? '' : ' AND') . " tl.description RLIKE '" . get_request_var('rfilter') . "'";`
	`1397`	`+ $sql_where .= ($sql_where == '' ? '' : ' AND') . ' tl.description RLIKE ' . db_qstr(get_request_var('rfilter'));`
`1399`	`1398`	`}`
`1400`	`1399`
`1401`	`1400`	`$sql_order = '';`
`@@ -1490,7 +1489,7 @@ function thold_show_log() {`
`1490`	`1489`	`}`
`1491`	`1490`
`1492`	`1491`	`if (get_request_var('rfilter') != '') {`
`1493`		`- $sql_where .= ($sql_where == '' ? '' : ' AND') . " tl.description RLIKE '" . get_request_var('rfilter') . "'";`
	`1492`	`+ $sql_where .= ($sql_where == '' ? '' : ' AND') . ' tl.description RLIKE ' . db_qstr(get_request_var('rfilter'));`
`1494`	`1493`	`}`
`1495`	`1494`
`1496`	`1495`	`$sql_order = get_order_string();`