fix(security): comprehensive bug and security cleanup

somethingwithproof · somethingwithproof · commit da6d22edcfd4 · 2026-04-09T13:49:04.000-07:00
- CRITICAL: prevent syslog_reports table DROP on upgrade (#300) - HIGH: parameterize domain stripping SQL (#261) - HIGH: wrap RLIKE filter values with db_qstr in syslog.php - MEDIUM: add CSV formula injection protection in exports (#256) - MEDIUM: sanitize DOM insertions with DOMPurify - LOW: parameterize admin CRUD delete/enable/disable (#252) - LOW: fix DST partition boundary using strtotime (#199) Closes #199, #252, #256, #259, #260, #261, #300 Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
diff --git a/functions.php b/functions.php
@@ -307,7 +307,7 @@ function syslog_partition_create($table) {
 		/* determine the format of the table name */
 		$time    = time();
 		$cformat = 'd' . date('Ymd', $time);
-		$lnow    = date('Y-m-d', $time+86400);
+		$lnow    = date('Y-m-d', strtotime('+1 day', $time));
 
 		$exists = syslog_db_fetch_row_prepared("SELECT *
 			FROM `information_schema`.`partitions`
@@ -788,12 +788,12 @@ function syslog_export($tab) {
 
 				print
 					'"' .
-					$host                                          . '","' .
-					ucfirst($facility)                             . '","' .
-					ucfirst($priority)                             . '","' .
-					ucfirst($program)                              . '","' .
-					$message['logtime']                            . '","' .
-					$message[$syslog_incoming_config['textField']] . '"'   . "\r\n";
+					syslog_csv_safe($host)                                          . '","' .
+					syslog_csv_safe(ucfirst($facility))                             . '","' .
+					syslog_csv_safe(ucfirst($priority))                             . '","' .
+					syslog_csv_safe(ucfirst($program))                              . '","' .
+					syslog_csv_safe($message['logtime'])                            . '","' .
+					syslog_csv_safe($message[$syslog_incoming_config['textField']]) . '"'   . "\r\n";
 			}
 		}
 	} else {
@@ -815,14 +815,14 @@ function syslog_export($tab) {
 
 				print
 					'"' .
-					$message['name']                  . '","' .
-					$severity                         . '","' .
-					$message['logtime']               . '","' .
-					$message['logmsg']                . '","' .
-					$message['host']                  . '","' .
-					ucfirst($message['facility'])     . '","' .
-					ucfirst($message['priority'])     . '","' .
-					$message['count']                 . '"'   . "\r\n";
+					syslog_csv_safe($message['name'])                  . '","' .
+					syslog_csv_safe($severity)                         . '","' .
+					syslog_csv_safe($message['logtime'])               . '","' .
+					syslog_csv_safe($message['logmsg'])                . '","' .
+					syslog_csv_safe($message['host'])                  . '","' .
+					syslog_csv_safe(ucfirst($message['facility']))     . '","' .
+					syslog_csv_safe(ucfirst($message['priority']))     . '","' .
+					syslog_csv_safe($message['count'])                 . '"'   . "\r\n";
 			}
 		}
 	}
@@ -2050,6 +2050,31 @@ function syslog_postprocess_tables() {
 	}
 }
 
+/**
+ * syslog_csv_safe - Escapes a value for safe inclusion in a CSV field.
+ *
+ * Prevents formula injection by prefixing cells that start with a trigger
+ * character, and escapes embedded double-quotes per RFC 4180.
+ *
+ * @param  (mixed) $value  The value to sanitize
+ *
+ * @return (string) The sanitized string
+ */
+function syslog_csv_safe($value) {
+	if ($value === null || $value === '') {
+		return '';
+	}
+
+	$value = (string) $value;
+	$value = str_replace('"', '""', $value);
+
+	if (preg_match('/^[=+\-@\t\r]/', $value)) {
+		$value = "'" . $value;
+	}
+
+	return $value;
+}
+
 /**
  * syslog_process_reports - Processes all syslog reports scheduled to run
  *
diff --git a/js/functions.js b/js/functions.js
@@ -227,7 +227,7 @@ function initSyslogMain(config) {
 
 							$.each(data, function(index, hostData) {
 								if ($('#host option[value="'+index+'"]').length == 0) {
-									$('#host').append('<option class="'+hostData.class+'" value="'+index+'">'+hostData.host+'</option>');
+									$('#host').append('<option class="'+DOMPurify.sanitize(hostData.class)+'" value="'+DOMPurify.sanitize(index)+'">'+DOMPurify.sanitize(hostData.host)+'</option>');
 								}
 							});
 
diff --git a/setup.php b/setup.php
@@ -626,7 +626,7 @@ function syslog_setup_table_new($options) {
 		$newreport = true;
 	}
 
-	if ($truncate || !$newreport) {
+	if ($truncate) {
 		syslog_db_execute("DROP TABLE IF EXISTS `" . $syslogdb_default . "`.`syslog_reports`");
 	}
 
diff --git a/syslog.php b/syslog.php
@@ -393,8 +393,8 @@ function get_stats_records(&$sql_where, &$sql_groupby, $rows) {
 	/* form the 'where' clause for our main sql query */
 	if (!isempty_request_var('rfilter')) {
 		$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') .
-			"sh.host RLIKE '"       . get_request_var('rfilter') . "'
-			OR spr.program RLIKE '" . get_request_var('rfilter') . "'";
+			"sh.host RLIKE "       . db_qstr(get_request_var('rfilter')) . "
+			OR spr.program RLIKE " . db_qstr(get_request_var('rfilter'));
 	}
 
 	if (get_request_var('host') == '-2') {
@@ -910,9 +910,9 @@ function get_syslog_messages(&$sql_where, $rows, $tab) {
 
 	if (!isempty_request_var('rfilter')) {
 		if ($tab == 'syslog') {
-			$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "message RLIKE '" . get_request_var('rfilter') . "'";
+			$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "message RLIKE " . db_qstr(get_request_var('rfilter'));
 		} else {
-			$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "logmsg RLIKE '" . get_request_var('rfilter') . "'";
+			$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "logmsg RLIKE " . db_qstr(get_request_var('rfilter'));
 		}
 	}
 
diff --git a/syslog_alerts.php b/syslog_alerts.php
@@ -321,17 +321,17 @@ function api_syslog_alert_save($id, $name, $method, $level, $num, $type, $messag
 
 function api_syslog_alert_remove($id) {
 	global $syslogdb_default;
-	syslog_db_execute("DELETE FROM `" . $syslogdb_default . "`.`syslog_alert` WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("DELETE FROM `" . $syslogdb_default . "`.`syslog_alert` WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_alert_disable($id) {
 	global $syslogdb_default;
-	syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='' WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='' WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_alert_enable($id) {
 	global $syslogdb_default;
-	syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='on' WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='on' WHERE id = ?", array(intval($id)));
 }
 
 /* ---------------------
diff --git a/syslog_removal.php b/syslog_removal.php
@@ -306,17 +306,17 @@ function api_syslog_removal_save($id, $name, $type, $message, $rmethod, $notes,
 
 function api_syslog_removal_remove($id) {
 	global $syslogdb_default;
-	syslog_db_execute("DELETE FROM `" . $syslogdb_default . "`.`syslog_remove` WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("DELETE FROM `" . $syslogdb_default . "`.`syslog_remove` WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_removal_disable($id) {
 	global $syslogdb_default;
-	syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='' WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='' WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_removal_enable($id) {
 	global $syslogdb_default;
-	syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='on' WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='on' WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_removal_reprocess($id) {
diff --git a/syslog_reports.php b/syslog_reports.php
@@ -315,17 +315,17 @@ function api_syslog_report_save($id, $name, $type, $message, $timespan, $timepar
 
 function api_syslog_report_remove($id) {
 	global $syslogdb_default;
-	syslog_db_execute('DELETE FROM `' . $syslogdb_default . '`.`syslog_reports` WHERE id=' . $id);
+	syslog_db_execute_prepared('DELETE FROM `' . $syslogdb_default . '`.`syslog_reports` WHERE id = ?', array(intval($id)));
 }
 
 function api_syslog_report_disable($id) {
 	global $syslogdb_default;
-	syslog_db_execute('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='' WHERE id=" . $id);
+	syslog_db_execute_prepared('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='' WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_report_enable($id) {
 	global $syslogdb_default;
-	syslog_db_execute('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='on' WHERE id=" . $id);
+	syslog_db_execute_prepared('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='on' WHERE id = ?", array(intval($id)));
 }
 
 /* ---------------------

Original file line number	Diff line number	Diff line change
`@@ -227,7 +227,7 @@ function initSyslogMain(config) {`
`227`	`227`
`228`	`228`	`$.each(data, function(index, hostData) {`
`229`	`229`	`if ($('#host option[value="'+index+'"]').length == 0) {`
`230`		`- $('#host').append('<option class="'+hostData.class+'" value="'+index+'">'+hostData.host+'</option>');`
	`230`	`+ $('#host').append('<option class="'+DOMPurify.sanitize(hostData.class)+'" value="'+DOMPurify.sanitize(index)+'">'+DOMPurify.sanitize(hostData.host)+'</option>');`
`231`	`231`	`}`
`232`	`232`	`});`
`233`	`233`
Original file line number	Diff line number	Diff line change
`@@ -626,7 +626,7 @@ function syslog_setup_table_new($options) {`
`626`	`626`	`$newreport = true;`
`627`	`627`	`}`
`628`	`628`
`629`		`- if ($truncate \|\| !$newreport) {`
	`629`	`+ if ($truncate) {`
`630`	`630`	syslog_db_execute("DROP TABLE IF EXISTS `" . $syslogdb_default . "`.`syslog_reports`");
`631`	`631`	`}`
`632`	`632`
Original file line number	Diff line number	Diff line change
`@@ -393,8 +393,8 @@ function get_stats_records(&$sql_where, &$sql_groupby, $rows) {`
`393`	`393`	`/* form the 'where' clause for our main sql query */`
`394`	`394`	`if (!isempty_request_var('rfilter')) {`
`395`	`395`	`$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') .`
`396`		`- "sh.host RLIKE '" . get_request_var('rfilter') . "'`
`397`		`- OR spr.program RLIKE '" . get_request_var('rfilter') . "'";`
	`396`	`+ "sh.host RLIKE " . db_qstr(get_request_var('rfilter')) . "`
	`397`	`+ OR spr.program RLIKE " . db_qstr(get_request_var('rfilter'));`
`398`	`398`	`}`
`399`	`399`
`400`	`400`	`if (get_request_var('host') == '-2') {`
`@@ -910,9 +910,9 @@ function get_syslog_messages(&$sql_where, $rows, $tab) {`
`910`	`910`
`911`	`911`	`if (!isempty_request_var('rfilter')) {`
`912`	`912`	`if ($tab == 'syslog') {`
`913`		`- $sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "message RLIKE '" . get_request_var('rfilter') . "'";`
	`913`	`+ $sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "message RLIKE " . db_qstr(get_request_var('rfilter'));`
`914`	`914`	`} else {`
`915`		`- $sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "logmsg RLIKE '" . get_request_var('rfilter') . "'";`
	`915`	`+ $sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "logmsg RLIKE " . db_qstr(get_request_var('rfilter'));`
`916`	`916`	`}`
`917`	`917`	`}`
`918`	`918`
Original file line number	Diff line number	Diff line change
`@@ -321,17 +321,17 @@ function api_syslog_alert_save($id, $name, $method, $level, $num, $type, $messag`
`321`	`321`
`322`	`322`	`function api_syslog_alert_remove($id) {`
`323`	`323`	`global $syslogdb_default;`
`324`		- syslog_db_execute("DELETE FROM `" . $syslogdb_default . "`.`syslog_alert` WHERE id='" . $id . "'");
	`324`	+ syslog_db_execute_prepared("DELETE FROM `" . $syslogdb_default . "`.`syslog_alert` WHERE id = ?", array(intval($id)));
`325`	`325`	`}`
`326`	`326`
`327`	`327`	`function api_syslog_alert_disable($id) {`
`328`	`328`	`global $syslogdb_default;`
`329`		- syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='' WHERE id='" . $id . "'");
	`329`	+ syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='' WHERE id = ?", array(intval($id)));
`330`	`330`	`}`
`331`	`331`
`332`	`332`	`function api_syslog_alert_enable($id) {`
`333`	`333`	`global $syslogdb_default;`
`334`		- syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='on' WHERE id='" . $id . "'");
	`334`	+ syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='on' WHERE id = ?", array(intval($id)));
`335`	`335`	`}`
`336`	`336`
`337`	`337`	`/* ---------------------`
Original file line number	Diff line number	Diff line change
`@@ -306,17 +306,17 @@ function api_syslog_removal_save($id, $name, $type, $message, $rmethod, $notes,`
`306`	`306`
`307`	`307`	`function api_syslog_removal_remove($id) {`
`308`	`308`	`global $syslogdb_default;`
`309`		- syslog_db_execute("DELETE FROM `" . $syslogdb_default . "`.`syslog_remove` WHERE id='" . $id . "'");
	`309`	+ syslog_db_execute_prepared("DELETE FROM `" . $syslogdb_default . "`.`syslog_remove` WHERE id = ?", array(intval($id)));
`310`	`310`	`}`
`311`	`311`
`312`	`312`	`function api_syslog_removal_disable($id) {`
`313`	`313`	`global $syslogdb_default;`
`314`		- syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='' WHERE id='" . $id . "'");
	`314`	+ syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='' WHERE id = ?", array(intval($id)));
`315`	`315`	`}`
`316`	`316`
`317`	`317`	`function api_syslog_removal_enable($id) {`
`318`	`318`	`global $syslogdb_default;`
`319`		- syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='on' WHERE id='" . $id . "'");
	`319`	+ syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='on' WHERE id = ?", array(intval($id)));
`320`	`320`	`}`
`321`	`321`
`322`	`322`	`function api_syslog_removal_reprocess($id) {`
Original file line number	Diff line number	Diff line change
`@@ -315,17 +315,17 @@ function api_syslog_report_save($id, $name, $type, $message, $timespan, $timepar`
`315`	`315`
`316`	`316`	`function api_syslog_report_remove($id) {`
`317`	`317`	`global $syslogdb_default;`
`318`		- syslog_db_execute('DELETE FROM `' . $syslogdb_default . '`.`syslog_reports` WHERE id=' . $id);
	`318`	+ syslog_db_execute_prepared('DELETE FROM `' . $syslogdb_default . '`.`syslog_reports` WHERE id = ?', array(intval($id)));
`319`	`319`	`}`
`320`	`320`
`321`	`321`	`function api_syslog_report_disable($id) {`
`322`	`322`	`global $syslogdb_default;`
`323`		- syslog_db_execute('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='' WHERE id=" . $id);
	`323`	+ syslog_db_execute_prepared('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='' WHERE id = ?", array(intval($id)));
`324`	`324`	`}`
`325`	`325`
`326`	`326`	`function api_syslog_report_enable($id) {`
`327`	`327`	`global $syslogdb_default;`
`328`		- syslog_db_execute('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='on' WHERE id=" . $id);
	`328`	+ syslog_db_execute_prepared('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='on' WHERE id = ?", array(intval($id)));
`329`	`329`	`}`
`330`	`330`
`331`	`331`	`/* ---------------------`