From c40a7fff2877f84e8e56bd50f892a0682b8379a3 Mon Sep 17 00:00:00 2001 From: Manuel Kasper Date: Wed, 12 Mar 2014 14:05:29 +0100 Subject: [PATCH] Various fixes Fix command line injection. Make number of hours in top.php a parameter instead of duplicating file. Add config setting for compatibility with old (< 1.3) RRDtool versions. Move contributed shell scripts to subdir. --- .../disableSeLinux.sh | 0 .../installAS-Stats.sh | 0 www/config.inc | 4 +- www/gengraph.php | 91 ++++++++------ www/headermenu.inc | 14 +-- www/linkgraph.php | 2 +- www/top.php | 14 ++- www/top12.php | 116 ------------------ www/top4.php | 116 ------------------ 9 files changed, 74 insertions(+), 283 deletions(-) rename disableSeLinux.sh => contrib/disableSeLinux.sh (100%) rename installAS-Stats.sh => contrib/installAS-Stats.sh (100%) delete mode 100644 www/top12.php delete mode 100644 www/top4.php diff --git a/disableSeLinux.sh b/contrib/disableSeLinux.sh similarity index 100% rename from disableSeLinux.sh rename to contrib/disableSeLinux.sh diff --git a/installAS-Stats.sh b/contrib/installAS-Stats.sh similarity index 100% rename from installAS-Stats.sh rename to contrib/installAS-Stats.sh diff --git a/www/config.inc b/www/config.inc index ce91ac6..3060005 100644 --- a/www/config.inc +++ b/www/config.inc @@ -18,7 +18,9 @@ $hidelinkusagename = true; # $showtitledetail will need to be true to allow t $whois = "/usr/bin/whois"; $assetpath = "asset"; -$asset_cache_life ="604800"; # 604800 seconds = 7 days +$asset_cache_life = "604800"; # 604800 seconds = 7 days + +$compat_rrdtool12 = false; # compatibility with RRDtool 1.2 (show95th will not work if this is set) /* Custom links to be shown for each AS. You can use %as% as a placeholder for the ASN. */ diff --git a/www/gengraph.php b/www/gengraph.php index 5df1d78..03b780f 100644 --- a/www/gengraph.php +++ b/www/gengraph.php @@ -31,12 +31,12 @@ $cmd = "$rrdtool graph - " . "--color BACK#ffffff00 --color SHADEA#ffffff00 --color SHADEB#ffffff00 "; if($outispositive) - $cmd .= "--vertical-label '<- IN | OUT ->' "; + $cmd .= "--vertical-label '<- IN | OUT ->' "; else - $cmd .= "--vertical-label '<- OUT | IN ->' "; + $cmd .= "--vertical-label '<- OUT | IN ->' "; if($showtitledetail && $_GET['dname'] != "") - $cmd .= "--title " . str_replace(' ','\ ',rawurldecode($_GET['dname'])) . " "; + $cmd .= "--title " . escapeshellarg($_GET['dname']) . " "; else if (isset($_GET['v']) && is_numeric($_GET['v'])) $cmd .= "--title IPv" . $_GET['v'] . " "; @@ -56,39 +56,52 @@ foreach ($knownlinks as $link) { $cmd .= "DEF:{$link['tag']}_{$v6_el}out=\"$rrdfile\":{$link['tag']}_{$v6_el}out:AVERAGE "; } -$tot_in_bits = "CDEF:tot_in_bits=0"; -$tot_out_bits = "CDEF:tot_out_bits=0"; - -/* generate a CDEF for each DEF to multiply by 8 (bytes to bits), and reverse for outbound */ -foreach ($knownlinks as $link) { - $cmd .= "CDEF:{$link['tag']}_{$v6_el}in_bits_pos={$link['tag']}_{$v6_el}in,8,* "; - $cmd .= "CDEF:{$link['tag']}_{$v6_el}out_bits_pos={$link['tag']}_{$v6_el}out,8,* "; - $tot_in_bits .= ",{$link['tag']}_{$v6_el}in_bits_pos,ADDNAN"; - $tot_out_bits .= ",{$link['tag']}_{$v6_el}out_bits_pos,ADDNAN"; -} - -$cmd .= "$tot_in_bits "; -$cmd .= "$tot_out_bits "; - -$cmd .= "VDEF:tot_in_bits_95th_pos=tot_in_bits,95,PERCENT "; -$cmd .= "VDEF:tot_out_bits_95th_pos=tot_out_bits,95,PERCENT "; - -if ($outispositive) { - $cmd .= "CDEF:tot_in_bits_95th=tot_in_bits,POP,tot_in_bits_95th_pos,-1,* "; - $cmd .= "CDEF:tot_out_bits_95th=tot_out_bits,POP,tot_out_bits_95th_pos,1,* "; +if ($compat_rrdtool12) { + /* generate a CDEF for each DEF to multiply by 8 (bytes to bits), and reverse for outbound */ + foreach ($knownlinks as $link) { + if ($outispositive) { + $cmd .= "CDEF:{$link['tag']}_{$v6_el}in_bits={$link['tag']}_{$v6_el}in,-8,* "; + $cmd .= "CDEF:{$link['tag']}_{$v6_el}out_bits={$link['tag']}_{$v6_el}out,8,* "; + } else { + $cmd .= "CDEF:{$link['tag']}_{$v6_el}in_bits={$link['tag']}_{$v6_el}in,8,* "; + $cmd .= "CDEF:{$link['tag']}_{$v6_el}out_bits={$link['tag']}_{$v6_el}out,-8,* "; + } + } } else { - $cmd .= "CDEF:tot_in_bits_95th=tot_in_bits,POP,tot_in_bits_95th_pos,1,* "; - $cmd .= "CDEF:tot_out_bits_95th=tot_out_bits,POP,tot_out_bits_95th_pos,-1,* "; -} + $tot_in_bits = "CDEF:tot_in_bits=0"; + $tot_out_bits = "CDEF:tot_out_bits=0"; -foreach ($knownlinks as $link) { - if ($outispositive) { - $cmd .= "CDEF:{$link['tag']}_{$v6_el}in_bits={$link['tag']}_{$v6_el}in_bits_pos,-1,* "; - $cmd .= "CDEF:{$link['tag']}_{$v6_el}out_bits={$link['tag']}_{$v6_el}out_bits_pos,1,* "; - } else { - $cmd .= "CDEF:{$link['tag']}_{$v6_el}out_bits={$link['tag']}_{$v6_el}out_bits_pos,-1,* "; - $cmd .= "CDEF:{$link['tag']}_{$v6_el}in_bits={$link['tag']}_{$v6_el}in_bits_pos,1,* "; - } + /* generate a CDEF for each DEF to multiply by 8 (bytes to bits), and reverse for outbound */ + foreach ($knownlinks as $link) { + $cmd .= "CDEF:{$link['tag']}_{$v6_el}in_bits_pos={$link['tag']}_{$v6_el}in,8,* "; + $cmd .= "CDEF:{$link['tag']}_{$v6_el}out_bits_pos={$link['tag']}_{$v6_el}out,8,* "; + $tot_in_bits .= ",{$link['tag']}_{$v6_el}in_bits_pos,ADDNAN"; + $tot_out_bits .= ",{$link['tag']}_{$v6_el}out_bits_pos,ADDNAN"; + } + + $cmd .= "$tot_in_bits "; + $cmd .= "$tot_out_bits "; + + $cmd .= "VDEF:tot_in_bits_95th_pos=tot_in_bits,95,PERCENT "; + $cmd .= "VDEF:tot_out_bits_95th_pos=tot_out_bits,95,PERCENT "; + + if ($outispositive) { + $cmd .= "CDEF:tot_in_bits_95th=tot_in_bits,POP,tot_in_bits_95th_pos,-1,* "; + $cmd .= "CDEF:tot_out_bits_95th=tot_out_bits,POP,tot_out_bits_95th_pos,1,* "; + } else { + $cmd .= "CDEF:tot_in_bits_95th=tot_in_bits,POP,tot_in_bits_95th_pos,1,* "; + $cmd .= "CDEF:tot_out_bits_95th=tot_out_bits,POP,tot_out_bits_95th_pos,-1,* "; + } + + foreach ($knownlinks as $link) { + if ($outispositive) { + $cmd .= "CDEF:{$link['tag']}_{$v6_el}in_bits={$link['tag']}_{$v6_el}in_bits_pos,-1,* "; + $cmd .= "CDEF:{$link['tag']}_{$v6_el}out_bits={$link['tag']}_{$v6_el}out_bits_pos,1,* "; + } else { + $cmd .= "CDEF:{$link['tag']}_{$v6_el}out_bits={$link['tag']}_{$v6_el}out_bits_pos,-1,* "; + $cmd .= "CDEF:{$link['tag']}_{$v6_el}in_bits={$link['tag']}_{$v6_el}in_bits_pos,1,* "; + } + } } /* generate graph area/stack for inbound */ @@ -120,11 +133,11 @@ foreach ($knownlinks as $link) { $i++; } -if($show95th){ - $cmd .= "LINE1:tot_in_bits_95th#FF0000 "; - $cmd .= "LINE1:tot_out_bits_95th#FF0000 "; - $cmd .= "GPRINT:tot_in_bits_95th_pos:'95th in %6.2lf%s' "; - $cmd .= "GPRINT:tot_out_bits_95th_pos:'95th out %6.2lf%s' "; +if ($show95th && !$compat_rrdtool12) { + $cmd .= "LINE1:tot_in_bits_95th#FF0000 "; + $cmd .= "LINE1:tot_out_bits_95th#FF0000 "; + $cmd .= "GPRINT:tot_in_bits_95th_pos:'95th in %6.2lf%s' "; + $cmd .= "GPRINT:tot_out_bits_95th_pos:'95th out %6.2lf%s' "; } # zero line diff --git a/www/headermenu.inc b/www/headermenu.inc index 79d716e..7db9fb7 100644 --- a/www/headermenu.inc +++ b/www/headermenu.inc @@ -1,24 +1,24 @@ Top AS | Top AS | 4 Hour | 4 Hour | 4 Hour | 4 Hour | 12 Hour | 12 Hour | 12 Hour | 12 Hour | 200) $topas = getasstats_top($ntop); +if (@$_GET['numhours']) { + $start = time() - $_GET['numhours']*3600; + $end = time(); +} else { + $start = ""; + $end = ""; +} + ?> @@ -81,10 +89,10 @@ echo join(" | ", $htmllinks); - AS graph" width="581" height="207" border="0" /> - AS graph" width="581" height="207" border="0" /> + AS graph&start=&end=" width="581" height="207" border="0" /> + AS graph&start=&end=" width="581" height="207" border="0" /> - AS graph" width="581" height="189" border="0" /> + AS graph&start=&end=" width="581" height="189" border="0" /> diff --git a/www/top12.php b/www/top12.php deleted file mode 100644 index b23e592..0000000 --- a/www/top12.php +++ /dev/null @@ -1,116 +0,0 @@ - 200) - $ntop = 200; - -$topas = getasstats_top($ntop); - -?> - - - - - - Top <?php echo $ntop; ?> AS - - - - - - -
Top AS
- - - - $nbytes): -$asinfo = getASInfo($as); -$class = (($i % 2) == 0) ? "even" : "odd"; -?> - - - - - - -
-
- - > - - AS: -
-
IPv4: ~ in / - out in the last 24 hours
- -
IPv6: ~ in / - out in the last 24 hours
- - - -
- $url) { - $url = str_replace("%as%", $as, $url); - $htmllinks[] = "" . htmlspecialchars($linkname) . "\n"; -} -echo join(" | ", $htmllinks); -?> -
- - -
- # -
- 		- - AS graph" width="581" height="207" border="0" /> - AS graph" width="581" height="207" border="0" /> - - AS graph" width="581" height="189" border="0" /> - -
- -
- -\n"; -} -?> -
"; - - echo ""; - echo ""; - echo ""; - echo "
  
"; - - echo "		 " . $link['descr'] . "
-
- - - - - diff --git a/www/top4.php b/www/top4.php deleted file mode 100644 index a196471..0000000 --- a/www/top4.php +++ /dev/null @@ -1,116 +0,0 @@ - 200) - $ntop = 200; - -$topas = getasstats_top($ntop); - -?> - - - - - - Top <?php echo $ntop; ?> AS - - - - - - -
Top AS
- - - - $nbytes): -$asinfo = getASInfo($as); -$class = (($i % 2) == 0) ? "even" : "odd"; -?> - - - - - - -
-
- - > - - AS: -
-
IPv4: ~ in / - out in the last 24 hours
- -
IPv6: ~ in / - out in the last 24 hours
- - - -
- $url) { - $url = str_replace("%as%", $as, $url); - $htmllinks[] = "" . htmlspecialchars($linkname) . "\n"; -} -echo join(" | ", $htmllinks); -?> -
- - -
- # -
- 		- - AS graph" width="581" height="207" border="0" /> - AS graph" width="581" height="207" border="0" /> - - AS graph" width="581" height="189" border="0" /> - -
- -
- -\n"; -} -?> -
"; - - echo ""; - echo ""; - echo ""; - echo "
  
"; - - echo "		 " . $link['descr'] . "
-
- - - - -