diff --git a/.gitignore b/.gitignore
index f3d8733..7a6c551 100644
--- a/.gitignore
+++ b/.gitignore
@@ -21,3 +21,4 @@
locales/po/*.mo
vendor/
+.omc/
diff --git a/db_functions.php b/db_functions.php
index dac37e2..1cfdb35 100644
--- a/db_functions.php
+++ b/db_functions.php
@@ -1,6 +1,7 @@
' . PHP_EOL;
- print '' . PHP_EOL;
+ print '' . PHP_EOL;
print '';
}
@@ -548,23 +549,23 @@ function monitorRenderGroupingDropdowns(array $classes, array $criticalities, ar
*/
function monitorRenderHiddenFilterInputs(): void {
if (get_request_var('grouping') != 'tree') {
- print ' | ' . PHP_EOL;
+ print ' | ' . PHP_EOL;
}
if (get_request_var('grouping') != 'site') {
- print ' | ' . PHP_EOL;
+ print ' | ' . PHP_EOL;
}
if (get_request_var('grouping') != 'template') {
- print ' | ' . PHP_EOL;
+ print ' | ' . PHP_EOL;
}
if (get_request_var('view') == 'list') {
- print ' | ' . PHP_EOL;
+ print ' | ' . PHP_EOL;
}
if (get_request_var('view') != 'default') {
- print ' | ' . PHP_EOL;
+ print ' | ' . PHP_EOL;
}
}
diff --git a/monitor_render.php b/monitor_render.php
index 98c706d..c4ab2a4 100644
--- a/monitor_render.php
+++ b/monitor_render.php
@@ -1,6 +1,7 @@
0) {
- $nav = html_nav_bar('monitor.php?rfilter=' . get_request_var('rfilter'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 12, __('Devices'), 'page', 'main');
+ $nav = html_nav_bar('monitor.php?rfilter=' . rawurlencode(get_request_var('rfilter')), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 12, __('Devices'), 'page', 'main');
print $nav;
}
diff --git a/poller_functions.php b/poller_functions.php
index ddb8568..76b8d85 100644
--- a/poller_functions.php
+++ b/poller_functions.php
@@ -1,6 +1,7 @@
array(
+ "html_escape(get_request_var('downhosts'))",
+ "html_escape(get_request_var('mute'))",
+ "html_escape(get_request_var('tree'))",
+ "html_escape(get_request_var('site'))",
+ "html_escape(get_request_var('template'))",
+ "html_escape(get_request_var('size'))",
+ "html_escape(get_request_var('trim'))",
+ ),
+ __DIR__ . '/../../monitor_render.php' => array(
+ "rawurlencode(get_request_var('rfilter'))",
+ ),
+);
+
+foreach ($checks as $path => $patterns) {
+ $contents = file_get_contents($path);
+
+ if ($contents === false) {
+ fwrite(STDERR, "Unable to read {$path}\n");
+ exit(1);
+ }
+
+ foreach ($patterns as $pattern) {
+ if (strpos($contents, $pattern) === false) {
+ fwrite(STDERR, "Missing expected output hardening: {$pattern}\n");
+ exit(1);
+ }
+ }
+}
+
+print "OK\n";
diff --git a/tests/e2e/test_monitor_no_raw_request_reuse.php b/tests/e2e/test_monitor_no_raw_request_reuse.php
new file mode 100644
index 0000000..f9c7ce6
--- /dev/null
+++ b/tests/e2e/test_monitor_no_raw_request_reuse.php
@@ -0,0 +1,40 @@
+ array(
+ "get_request_var('downhosts') . '\">'",
+ "get_request_var('site') . '\">'",
+ "get_request_var('template') . '\">'",
+ "get_request_var('size') . '\">'",
+ "get_request_var('trim') . '\">'",
+ ),
+ __DIR__ . '/../../monitor_render.php' => array(
+ "monitor.php?rfilter=' . get_request_var('rfilter')",
+ ),
+);
+
+foreach ($checks as $path => $patterns) {
+ $contents = file_get_contents($path);
+
+ if ($contents === false) {
+ fwrite(STDERR, "Unable to read {$path}\n");
+ exit(1);
+ }
+
+ foreach ($patterns as $pattern) {
+ if (strpos($contents, $pattern) !== false) {
+ fwrite(STDERR, "Raw request reuse remains: {$pattern}\n");
+ exit(1);
+ }
+ }
+}
+
+print "OK\n";
diff --git a/tests/unit/test_request_output_escaping.php b/tests/unit/test_request_output_escaping.php
new file mode 100644
index 0000000..af07b0a
--- /dev/null
+++ b/tests/unit/test_request_output_escaping.php
@@ -0,0 +1,19 @@
+