Fix security issue

'v' parameter of gengraph.php allowed shell command injection. Reported by Stefan Hanrath.
2025-02-20 11:44:12 +08:00 · 2013-12-06 09:07:46 +01:00 · 2013-12-06 09:07:46 +01:00 · afe5f582d1
commit afe5f582d1
parent d7b806349c
1 changed files with 1 additions and 1 deletions
--- a/www/gengraph.php
+++ b/www/gengraph.php
@ -30,7 +30,7 @@ $cmd = "$rrdtool graph - " .
 	"--slope-mode --alt-autoscale -u 0 -l 0 --imgformat=PNG --base=1000 --height=$height --width=$width " .
 	"--color BACK#ffffff00 --color SHADEA#ffffff00 --color SHADEB#ffffff00 ";

-if (@$_GET['v'])
+if (isset($_GET['v']) && is_numeric($_GET['v']))
 	$cmd .= "--title IPv" . $_GET['v'] . " ";

 if (isset($_GET['nolegend']))