From a783e73271b06ade70ce71dd9d2b6df975331256 Mon Sep 17 00:00:00 2001 From: YAHIAOUI Hamza Date: Fri, 21 Oct 2022 01:44:10 +0100 Subject: [PATCH 1/3] fix xss centreon api class --- www/class/centreon-clapi/centreonAPI.class.php | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/www/class/centreon-clapi/centreonAPI.class.php b/www/class/centreon-clapi/centreonAPI.class.php index d808732f132..e7ca72f45c8 100644 --- a/www/class/centreon-clapi/centreonAPI.class.php +++ b/www/class/centreon-clapi/centreonAPI.class.php @@ -36,9 +36,6 @@ namespace CentreonClapi; -use Security\Domain\Authentication\Exceptions\ProviderException; -use Security\Domain\Authentication\Model\LocalProvider; - require_once _CENTREON_PATH_ . "www/class/centreon-clapi/centreonExported.class.php"; require_once realpath(dirname(__FILE__) . "/../centreonDB.class.php"); require_once realpath(dirname(__FILE__) . "/../centreonXML.class.php"); @@ -716,7 +713,7 @@ public function initXML() */ public function launchAction($exit = true) { - $action = strtoupper($this->action); + $action = htmlspecialchars(strtoupper($this->action), ENT_QUOTES, 'UTF-8'); /** * Debug @@ -803,9 +800,13 @@ public function import($filename) $i++; $tab = preg_split('/;/', $string); if (strlen(trim($string)) != 0 && !preg_match('/^\{OBJECT_TYPE\}/', $string)) { - $this->object = trim($tab[0]); - $this->action = trim($tab[1]); - $this->variables = trim(substr($string, strlen($tab[0] . ";" . $tab[1] . ";"))); + $this->object = htmlspecialchars(trim($tab[0]), ENT_QUOTES, 'UTF-8'); + $this->action = htmlspecialchars(trim($tab[1]), ENT_QUOTES, 'UTF-8'); + $this->variables = htmlspecialchars( + trim(substr($string, strlen($tab[0] . ";" . $tab[1] . ";"))), + ENT_QUOTES, + 'UTF-8' + ); if ($this->debug == 1) { print "Object : " . $this->object . "\n"; print "Action : " . $this->action . "\n"; @@ -830,7 +831,7 @@ public function import($filename) public function launchActionForImport() { - $action = strtoupper($this->action); + $action = htmlspecialchars(strtoupper($this->action), ENT_QUOTES, 'UTF-8'); /** * Debug */ From 3e35e235dffb1f3ce35bfb0d5ae3721b58f79e64 Mon Sep 17 00:00:00 2001 From: YAHIAOUI Hamza Date: Fri, 21 Oct 2022 01:52:26 +0100 Subject: [PATCH 2/3] restoring removed imports --- www/class/centreon-clapi/centreonAPI.class.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/www/class/centreon-clapi/centreonAPI.class.php b/www/class/centreon-clapi/centreonAPI.class.php index e7ca72f45c8..172af019023 100644 --- a/www/class/centreon-clapi/centreonAPI.class.php +++ b/www/class/centreon-clapi/centreonAPI.class.php @@ -36,6 +36,9 @@ namespace CentreonClapi; +use Security\Domain\Authentication\Exceptions\ProviderException; +use Security\Domain\Authentication\Model\LocalProvider; + require_once _CENTREON_PATH_ . "www/class/centreon-clapi/centreonExported.class.php"; require_once realpath(dirname(__FILE__) . "/../centreonDB.class.php"); require_once realpath(dirname(__FILE__) . "/../centreonXML.class.php"); From 330a68e2c95afbdb4335ea8dfc3d935fcc1b3f66 Mon Sep 17 00:00:00 2001 From: YAHIAOUI Hamza Date: Fri, 21 Oct 2022 09:35:41 +0100 Subject: [PATCH 3/3] fix spacing --- www/class/centreon-clapi/centreonAPI.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/www/class/centreon-clapi/centreonAPI.class.php b/www/class/centreon-clapi/centreonAPI.class.php index 172af019023..24f404eba8c 100644 --- a/www/class/centreon-clapi/centreonAPI.class.php +++ b/www/class/centreon-clapi/centreonAPI.class.php @@ -716,7 +716,7 @@ public function initXML() */ public function launchAction($exit = true) { - $action = htmlspecialchars(strtoupper($this->action), ENT_QUOTES, 'UTF-8'); + $action = htmlspecialchars(strtoupper($this->action), ENT_QUOTES, 'UTF-8'); /** * Debug @@ -834,7 +834,7 @@ public function import($filename) public function launchActionForImport() { - $action = htmlspecialchars(strtoupper($this->action), ENT_QUOTES, 'UTF-8'); + $action = htmlspecialchars(strtoupper($this->action), ENT_QUOTES, 'UTF-8'); /** * Debug */