head	1.2;
access;
symbols
	pkgsrc-2014Q4:1.1.0.4
	pkgsrc-2014Q4-base:1.1
	pkgsrc-2014Q3:1.1.0.2
	pkgsrc-2014Q3-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2015.03.11.13.56.46;	author adam;	state dead;
branches;
next	1.1;
commitid	UT8JLqtBS2ja6cdy;

1.1
date	2014.08.23.12.50.25;	author adam;	state Exp;
branches;
next	;
commitid	U1IY150GJSO3auNx;


desc
@@


1.2
log
@Changes 0.8.8c:

Important Security Fixes

CVE-2013-5588 - XSS issue via installer or device editing
CVE-2013-5589 - SQL injection vulnerability in device editing
CVE-2014-2326 - XSS issue via CDEF editing
CVE-2014-2327 - Cross-site request forgery (CSRF) vulnerability
CVE-2014-2328 - Remote Command Execution Vulnerability in graph export
CVE-2014-4002 - XSS issues in multiple files
CVE-2014-5025 - XSS issue via data source editing
CVE-2014-5026 - XSS issues in multiple files

Important Updates

New graph tree view
Updated graph list and graph preview
Refactor graph tree view to remove GPL incompatible code
Updated command line database upgrade utility
Graph zooming now from everywhere
@
text
@$NetBSD: patch-lib_graph_export.php,v 1.1 2014/08/23 12:50:25 adam Exp $

Fixes for:
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL Injection Vulnerability
CVE-2014-2709 Unspecified Remote Command Execution Vulnerability

--- lib/graph_export.php.orig	2013-08-06 22:31:19.000000000 -0400
+++ lib/graph_export.php	2014-04-04 21:39:05.000000000 -0400
@@@@ -339,7 +339,7 @@@@
 	chdir($stExportDir);
 
 	/* set the initial command structure */
-	$stExecute = 'ncftpput -R -V -r 1 -u '.$aFtpExport['username'].' -p '.$aFtpExport['password'];
+	$stExecute = 'ncftpput -R -V -r 1 -u ' . cacti_escapeshellarg($aFtpExport['username']) . ' -p ' . cacti_escapeshellarg($aFtpExport['password']);
 
 	/* if the user requested passive mode, use it */
 	if ($aFtpExport['passive']) {
@@@@ -347,7 +347,7 @@@@
 	}
 
 	/* setup the port, server, remote directory and all files */
-	$stExecute .= ' -P ' . $aFtpExport['port'] . ' ' . $aFtpExport['server'] . ' ' . $aFtpExport['remotedir'] . ".";
+	$stExecute .= ' -P ' . cacti_escapeshellarg($aFtpExport['port']) . ' ' . cacti_escapeshellarg($aFtpExport['server']) . ' ' . cacti_escapeshellarg($aFtpExport['remotedir']) . ".";
 
 	/* run the command */
 	$iExecuteReturns = 0;
@


1.1
log
@Fixes for:
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL Injection Vulnerability
CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
@
text
@d1 1
a1 1
$NetBSD$
@