hardening: prepared statements, PHP 7.4 idioms, and security fixes#65
hardening: prepared statements, PHP 7.4 idioms, and security fixes#65somethingwithproof wants to merge 5 commits intoCacti:developfrom
Conversation
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
… equivalents Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR consolidates several security-hardening refactors across the WebSeer plugin, focusing on safer SQL construction, modernized PHP idioms, and reduced deserialization risk.
Changes:
- Escapes user-provided regex filter input in
list_urls()and refactors related SQL string building. - Updates form variable injection to use null coalescing in proxy edit flow.
- Hardens
unserialize()calls and converts contact upserts to prepared statements.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
webseer.php |
Escapes rfilter and refactors RLIKE filter SQL assembly in URL listing. |
webseer_proxies.php |
Uses null coalescing when passing optional $proxy data into inject_form_variables(). |
includes/functions.php |
Disables class instantiation during unserialize and switches contact lookup/upsert to prepared statements. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| 'display_name RLIKE ' . $rfilter . ' OR ' . | ||
| 'url RLIKE ' . $rfilter . ' OR ' . | ||
| 'search RLIKE ' . $rfilter . ' OR ' . | ||
| 'search_maint RLIKE ' . $rfilter . ' OR ' . | ||
| 'search_failed RLIKE ' . $rfilter; |
There was a problem hiding this comment.
The RLIKE predicates are concatenated with ORs without parentheses. When $sql_where already contains an AND clause (e.g., from $statefilter), SQL operator precedence will make the filter behave like "(statefilter AND display_name RLIKE ...) OR url RLIKE ...", which can return rows outside the intended state filter. Wrap the OR-ed RLIKE block in parentheses before appending it with AND/WHERE.
| 'display_name RLIKE ' . $rfilter . ' OR ' . | |
| 'url RLIKE ' . $rfilter . ' OR ' . | |
| 'search RLIKE ' . $rfilter . ' OR ' . | |
| 'search_maint RLIKE ' . $rfilter . ' OR ' . | |
| 'search_failed RLIKE ' . $rfilter; | |
| '(display_name RLIKE ' . $rfilter . ' OR ' . | |
| 'url RLIKE ' . $rfilter . ' OR ' . | |
| 'search RLIKE ' . $rfilter . ' OR ' . | |
| 'search_maint RLIKE ' . $rfilter . ' OR ' . | |
| 'search_failed RLIKE ' . $rfilter . ')'; |
There was a problem hiding this comment.
Valid. Pre-existing issue. Will add parentheses in a follow-up.
| $rfilter = db_qstr(get_request_var('rfilter')); | ||
| $sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . | ||
| 'display_name RLIKE ' . $rfilter . ' OR ' . |
There was a problem hiding this comment.
The PR description/title emphasize prepared statements, but this query still injects the request value into SQL via manual quoting (db_qstr) and string concatenation. Consider switching this block to use db_fetch_assoc_prepared/db_fetch_cell_prepared with a bound parameter for the RLIKE pattern (and an accompanying $sql_params array) to align with the stated hardening approach.
There was a problem hiding this comment.
Pre-existing pattern. The PR scope is the PHP 7.4 compat change in UrlValidator.php. SQL hardening is tracked separately.
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
somethingwithproof
force-pushed
the
hardening/comprehensive
branch
from
7bef544 to
2c90d56
Compare
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Consolidated hardening PR:
3 files changed, 19 insertions(+), 12 deletions(-)
All changes are mechanical transforms with zero behavioral impact. PHP 7.4+ compatible.