Multiple Fixes: Range Pruning, Callback Execution, Early Rotation, CSV Export Hardening, Prepared Statements, SQL Readability#313
Merged
TheWitness merged 11 commits intodevelopfrom Apr 10, 2026
Conversation
* Fix partitioning so that it happens an hour before the rotation * Fix CSV Export to be secure using built-in function
Also missed a few prepared statements.
* Properly execute the syslog callback without using eval * Use a timestamp to improve the quality of range partition pruning * Better formatting on UNION queries
TheWitness
requested review from
bmfmancini,
Copilot,
somethingwithproof and
xmacan
TheWitness
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR targets the Cacti Syslog plugin’s data lifecycle and UI hardening: improving partition rotation behavior (incl. DST edge cases), securing CSV exports, and hardening client-side callback execution.
Changes:
- Adjusts partition creation timing/logic and updates schema partitioning to use
UNIX_TIMESTAMP(logtime)(with UTC-based date calculations). - Reworks CSV export to use
fputcsv()for proper CSV escaping. - Removes
eval()-based autocomplete callbacks and adds a string-based function dispatcher; adds additional HTML escaping in UI outputs.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
setup.php |
Changes partitioned syslog table definition to partition by UNIX_TIMESTAMP(logtime) and tweaks table DDL quoting. |
functions.php |
Updates partition management timing/signatures; switches export output to fputcsv(); converts many SQL strings to interpolated backtick form and more prepared statements. |
syslog.php |
Updates various SQL strings to interpolated backtick form and adds HTML escaping in select options; refactors some query formatting. |
syslog_reports.php |
Moves report enable/disable/remove operations to prepared statements; SQL quoting adjustments. |
syslog_removal.php |
SQL quoting adjustments for removal rule queries. |
syslog_alerts.php |
Fixes alert enable query to use syslog_db_execute_prepared; SQL quoting adjustments. |
js/functions.js |
Replaces eval() with a function-by-name executor; attempts to sanitize host dropdown option rendering. |
xmacan
previously approved these changes
Apr 10, 2026
6 tasks
xmacan
previously approved these changes
Apr 10, 2026
xmacan
approved these changes
Apr 10, 2026
xmacan
approved these changes
Apr 10, 2026
This was referenced Apr 10, 2026
somethingwithproof
added a commit
to somethingwithproof/plugin_syslog
that referenced
this pull request
Apr 10, 2026
Follow-up to Cacti#313. Addresses eight correctness and hardening findings: - Partition boundary math is now computed as integer epochs in PHP (next UTC midnight) and injected as numeric literals. strtotime() and UNIX_TIMESTAMP('date-literal') both pulled the PHP/MySQL session TZ into UTC-intended math and caused drift at day boundaries on non-UTC servers. - syslog_partition_create() now hard-fails with an error log instead of silently warning when SHOW CREATE TABLE does not expose either TO_DAYS or UNIX_TIMESTAMP. Silent no-ops caused rotations to stall unnoticed. Rewrote str_contains() to strpos() for portability. - syslog_manage_items() validates $from_table/$to_table against a three-value allowlist before interpolation. Defense-in-depth for the one caller that currently passes safe literals. - Alert, removal, and report rule handlers of type sql are gated on a new 'syslog_allow_sql_rules' setting (off by default). These handlers inline admin-defined SQL into the WHERE clause and cannot be parameterised; the previous removal handler also emitted invalid syntax ("WHERE message (expr)"). Added a Security Settings section to setup.php with a warning description. - CSV export replaces lossy trim($x, ' =+-@') with a syslog_csv_safe() helper that prepends a single quote only when the first character is one of =+-@, TAB, CR. Preserves content verbatim while defusing spreadsheet formula injection per OWASP guidance. - Host autocomplete dropdown builds <option> elements via jQuery's attr()/text() instead of HTML string concatenation wrapped in DOMPurify.sanitize(). DOMPurify does not escape attribute delimiters, so a host containing a double quote could still break out of the class/value attribute. - Autocomplete onChange dispatcher enforces a bare-identifier whitelist and looks the callback up as a direct window[name] property. Rejects dotted paths, arguments, and anything that is not a function, with a console.warn. Server side, the three initSyslogAutocomplete arguments now go through json_encode() instead of single-quote interpolation. - Ported tests/regression/issue254_partition_table_locking_test.php to the new syslog_partition_check/create two-argument signatures and extended it to assert the UTC-midnight boundary arithmetic, the hard-fail on unknown partition expression, and the syslog_manage_items table-name allowlist. Verification: - php -l on every touched file - node -c on js/functions.js - all eight regression tests in tests/regression/ that pass on develop continue to pass; issue254 was restored and passes; three pre-existing failures (issue253, issue269 x2) are unchanged on develop. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
somethingwithproof
added a commit
to somethingwithproof/plugin_syslog
that referenced
this pull request
Apr 10, 2026
Addresses code review feedback on the PR Cacti#313 follow-up. The boundary epoch calculation ((int)($time / 86400) + 1) * 86400 assumes a non-negative UTC timestamp; non-numeric or pre-epoch values would silently underflow. Reject them at function entry with a logged error and a false return, matching the other guard clauses in the function. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
This was referenced Apr 10, 2026
bmfmancini
approved these changes
Apr 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #199 #260 #256