Attached is a bunch of variable sanitation checking. It isn't done, but I wanted to throw it out for comments before I go too far down some hole and can't dig myself out.
This is not a patch, since are only two "include_once" lines (in
index.php and graph.php) for existing files. The rest of the patch
would be to add this file. Just imagine that this file gets run
after conf.php is sourced, be before get_context.php is read.
The idea is to take $_GET (and later $_COOKIE), and check to make sure
that their contents have valid information. Invalid information is
*discarded*, and cannot be used by the rest of the code. Thus, if
$_GET['st'] has bogus data (non-integral data, to be precise), then it
is deleted from the array. This is pretty harsh, but should make
problems obvious very quickly.
There are two main sections to the code. The first is the large array
near the top of the file. This defines what parameters we care about,
and how they should be used. Anything not in this array, or doens't
match the datatype requested, will be discarded. Any new parameters
that are added (for example, to indicated which metric groups should
be "collapsed") should be added to this array.
The second part is the foreach{} loop at the end. It runs through all
variables in $_GET (and later, $_COOKIE, etc), and checks if we care
about it at all (e.g. it is in the large array I just mentioned).
Keys that we want, and are valid will be kept, but everything else
will be pitched.
As I said, it isn't done yet, although it is basically functional.
I'm looking for general comments, not specific bug reports yet.
So, comments and suggestion welcome.
--
Jesse Becker
GPG Fingerprint -- BD00 7AA4 4483 AFCC 82D0 2720 0083 0931 9A2B 06A2
sanitize.php
Description: Binary data
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Ganglia-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ganglia-developers
