diff options
author | Roberts Lataria <roberts.lataria@zabbix.com> | 2022-07-13 16:14:24 +0300 |
---|---|---|
committer | Roberts Lataria <roberts.lataria@zabbix.com> | 2022-07-13 16:14:24 +0300 |
commit | 6b860cec8e7ab2f932ed2577ebdfdadec0b6fd33 (patch) | |
tree | f52069ed0b1d6c89fd53874f4596f942188d596f | |
parent | 499b407c2cd32bb7ee1bfcf3dc8a4b7e3dfc88d1 (diff) | |
parent | 8f869632732dcc1a7fdb84ef9560a494f83d5fc9 (diff) |
..F....... [DEV-2181] fixed xss in graph
* commit '8f869632732dcc1a7fdb84ef9560a494f83d5fc9':
..F....... [DEV-2181] fixed xss in graph
..F....... [DEV-2181] fixed undefined errors when item not found
..F....... [DEV-2181] fixed code style
..F....... [DEV-2181] fixed css fro field drawtype in graph items
..F....... [DEV-2181] fixed xss in graph
-rw-r--r-- | frontends/php/graphs.php | 32 | ||||
-rw-r--r-- | frontends/php/include/views/configuration.graph.edit.php | 4 |
2 files changed, 24 insertions, 12 deletions
diff --git a/frontends/php/graphs.php b/frontends/php/graphs.php index 70fbd01bf33..8ae19461b41 100644 --- a/frontends/php/graphs.php +++ b/frontends/php/graphs.php @@ -91,8 +91,14 @@ if (isset($_REQUEST['yaxismax']) && zbx_empty($_REQUEST['yaxismax'])) { check_fields($fields); $gitems = []; -foreach (getRequest('items', []) as $gitem) { - $gitems[] = json_decode($gitem, true); +foreach (getRequest('items', []) as $item) { + $gitem = json_decode($item, true); + + if ((array_key_exists('itemid', $gitem) && ctype_digit($gitem['itemid'])) + && (array_key_exists('type', $gitem) && ctype_digit($gitem['type'])) + && (array_key_exists('drawtype', $gitem) && ctype_digit($gitem['drawtype']))) { + $gitems[] = $gitem; + } } $_REQUEST['items'] = $gitems; @@ -557,18 +563,20 @@ elseif (isset($_REQUEST['form'])) { 'preservekeys' => true ]); - foreach ($data['items'] as &$item) { - $host = reset($items[$item['itemid']]['hosts']); + if ($items) { + foreach ($data['items'] as &$item) { + $host = reset($items[$item['itemid']]['hosts']); - $item['host'] = $host['name']; - $item['hostid'] = $items[$item['itemid']]['hostid']; - $item['name'] = $items[$item['itemid']]['name']; - $item['key_'] = $items[$item['itemid']]['key_']; - $item['flags'] = $items[$item['itemid']]['flags']; - } - unset($item); + $item['host'] = $host['name']; + $item['hostid'] = $items[$item['itemid']]['hostid']; + $item['name'] = $items[$item['itemid']]['name']; + $item['key_'] = $items[$item['itemid']]['key_']; + $item['flags'] = $items[$item['itemid']]['flags']; + } + unset($item); - $data['items'] = CMacrosResolverHelper::resolveItemNames($data['items']); + $data['items'] = CMacrosResolverHelper::resolveItemNames($data['items']); + } } $data['items'] = array_values($data['items']); diff --git a/frontends/php/include/views/configuration.graph.edit.php b/frontends/php/include/views/configuration.graph.edit.php index 31450c5ec31..24e8565e804 100644 --- a/frontends/php/include/views/configuration.graph.edit.php +++ b/frontends/php/include/views/configuration.graph.edit.php @@ -409,6 +409,10 @@ $items_table->addRow( ); foreach ($this->data['items'] as $n => $item) { + if (!$item['itemid']) { + continue; + } + $name = $item['host'].NAME_DELIMITER.$item['name_expanded']; if (zbx_empty($item['drawtype'])) { |