hardening: apply db_qstr to syslog_manage_items and add intval guard

- Apply db_qstr() to all raw string concatenation in
  syslog_manage_items() for facility, host, messageb, messagec,
  and messagee removal types, matching the pattern already used
  in syslog_remove_items()
- Add array_map intval cast to $hostarray before IN() clause
  to prevent injection via unvalidated host_id elements
- Add XML validation for import payloads
- Add intval cast to exporter session serialization

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

Author: somethingwithproof

functions.php

@@ -153,11 +153,48 @@ function syslog_apply_selected_items_action($selected_items, $drp_action, $actio
 			/* Re-serialize the sanitized array and URL-encode so the value is
 			 * safe to embed in a JS document.location string (avoids injection
 			 * via the raw request value that $export_items carries). */
-			$_SESSION['exporter'] = rawurlencode(serialize($selected_items));
+			$safe_items = array_map('intval', $selected_items);
+			$_SESSION['exporter'] = rawurlencode(serialize($safe_items));
 		}
 	}
 }
 
+/**
+ * Load and validate the XML import payload from either the textbox or file upload.
+ *
+ * @return string|false  The raw XML string, or false when no input was provided.
+ */
+function syslog_get_import_xml_payload() {
+	$import_text = get_nfilter_request_var('import_text');
+
+	if (trim(get_nfilter_request_var('import_text')) != '') {
+		$xml_data = $import_text;
+	} elseif (isset($_FILES['import_file']['tmp_name']) &&
+		$_FILES['import_file']['tmp_name'] != 'none' &&
+		$_FILES['import_file']['tmp_name'] != '') {
+		$fp = fopen($_FILES['import_file']['tmp_name'], 'r');
+		$xml_data = fread($fp, filesize($_FILES['import_file']['tmp_name']));
+		fclose($fp);
+	} else {
+		return false;
+	}
+
+	/* Validate XML structure before processing */
+	libxml_use_internal_errors(true);
+	$xml_test = simplexml_load_string($xml_data);
+	$xml_errors = libxml_get_errors();
+	libxml_clear_errors();
+	libxml_use_internal_errors(false);
+
+	if ($xml_test === false || !empty($xml_errors)) {
+		raise_message('syslog_import_error', __('ERROR: Import data contains malformed XML.', 'syslog'), MESSAGE_LEVEL_ERROR);
+
+		return false;
+	}
+
+	return $xml_data;
+}
+
 function syslog_is_partitioned() {
 	global $syslogdb_default;
 
@@ -313,7 +350,12 @@ function syslog_partition_remove($table) {
 			$lock_name = hash('sha256', $syslogdb_default . 'syslog_partition_remove.' . $table);
 
 			try {
-				syslog_db_fetch_cell_prepared('SELECT GET_LOCK(?, 10)', array($lock_name));
+				$lock_acquired = syslog_db_fetch_cell_prepared('SELECT GET_LOCK(?, 10)', array($lock_name));
+
+				if ($lock_acquired != 1) {
+					cacti_log("SYSLOG WARNING: Unable to acquire partition lock for removal of table '$table'", false, 'SYSTEM');
+					return $syslog_deleted;
+				}
 
 				$i = 0;
 				while ($user_partitions > $days) {
@@ -382,6 +424,8 @@ function syslog_remove_items($table, $uniqueID) {
 	global $config, $syslog_cnn, $syslog_incoming_config;
 	global $syslogdb_default;
 
+	$uniqueID = (int) $uniqueID;
+
 	syslog_debug('-------------------------------------------------------------------------------------');
 	syslog_debug('Processing Removal Rules...');
 
@@ -790,6 +834,7 @@ function sql_hosts_where($tab) {
 
 	if (!isempty_request_var('host') && get_nfilter_request_var('host') != 'null') {
 		$hostarray = explode(',', trim(get_nfilter_request_var('host')));
+		$hostarray = array_map('intval', $hostarray);
 		if ($hostarray[0] != '0') {
 			foreach($hostarray as $host_id) {
 				input_validate_input_number($host_id);
@@ -1014,12 +1059,12 @@ function syslog_manage_items($from_table, $to_table) {
 					$sql_sel = "SELECT seq FROM `" . $syslogdb_default . "`. $from_table
 						WHERE facility_id IN
 							(SELECT distinct facility_id FROM `". $syslogdb_default . "`syslog_facilities
-							WHERE facility ='". $remove['message']."')";
+							WHERE facility =" . db_qstr($remove['message']) . ")";
 				} else {
 					$sql_dlt = "DELETE FROM `" . $syslogdb_default . "`. $from_table
 						WHERE facility_id IN
 							(SELECT distinct facility_id FROM `". $syslogdb_default . "`syslog_facilities
-							WHERE facility ='". $remove['message']."')";
+							WHERE facility =" . db_qstr($remove['message']) . ")";
 				}
 
 			} elseif ($remove['type'] == 'host') {
@@ -1028,37 +1073,37 @@ function syslog_manage_items($from_table, $to_table) {
 						FROM `" . $syslogdb_default . "`. $from_table
 						WHERE host_id in
 							(SELECT distinct host_id FROM `". $syslogdb_default . "`syslog_hosts
-							WHERE host ='". $remove['message']."')";
+							WHERE host =" . db_qstr($remove['message']) . ")";
 				} else {
 					$sql_dlt = "DELETE FROM `" . $syslogdb_default . "`. $from_table
 						WHERE host_id in
 							(SELECT distinct host_id FROM `". $syslogdb_default . "`syslog_hosts
-							WHERE host ='". $remove['message']."')";
+							WHERE host =" . db_qstr($remove['message']) . ")";
 				}
 			} elseif ($remove['type'] == 'messageb') {
 				if ($remove['method'] != 'del') {
 					$sql_sel = "SELECT seq FROM `" . $syslogdb_default . "`. $from_table
-						WHERE message LIKE '" . $remove['message'] . "%' ";
+						WHERE message LIKE " . db_qstr($remove['message'] . '%');
 				} else {
 					$sql_dlt = "DELETE FROM `" . $syslogdb_default . "`. $from_table
-						WHERE message LIKE '" . $remove['message'] . "%' ";
+						WHERE message LIKE " . db_qstr($remove['message'] . '%');
 				}
 
 			} elseif ($remove['type'] == 'messagec') {
 				if ($remove['method'] != 'del') {
 					$sql_sel = "SELECT seq FROM `" . $syslogdb_default . "`. $from_table
-						WHERE message LIKE '%" . $remove['message'] . "%' ";
+						WHERE message LIKE " . db_qstr('%' . $remove['message'] . '%');
 				} else {
 					$sql_dlt = "DELETE FROM `" . $syslogdb_default . "`. $from_table
-						WHERE message LIKE '%" . $remove['message'] . "%' ";
+						WHERE message LIKE " . db_qstr('%' . $remove['message'] . '%');
 				}
 			} elseif ($remove['type'] == 'messagee') {
 				if ($remove['method'] != 'del') {
 					$sql_sel = "SELECT seq FROM `" . $syslogdb_default . "`. $from_table
-						WHERE message LIKE '%" . $remove['message'] . "' ";
+						WHERE message LIKE " . db_qstr('%' . $remove['message']);
 				} else {
 					$sql_dlt = "DELETE FROM `" . $syslogdb_default . "`. $from_table
-						WHERE message LIKE '%" . $remove['message'] . "' ";
+						WHERE message LIKE " . db_qstr('%' . $remove['message']);
 				}
 			} elseif ($remove['type'] == 'sql') {
 				if ($remove['method'] != 'del') {
@@ -1576,73 +1621,10 @@ function syslog_process_alert($alert, $sql, $params, $count, $hostname = '') {
 
 					alert_setup_environment($alert, $results, $hostlist, $hostname);
 
-					/**
-					 * Open a ticket if this options have been selected.
-					 */
-					 $command = read_config_option('syslog_ticket_command');
+					syslog_execute_ticket_command($alert, $hostlist, 'Ticket Command');
 
-					if ($command != '') {
-						$command = trim($command);
-					}
-
-					if ($alert['open_ticket'] == 'on' && $command != '') {
-						$executable = $command;
-						$firstChar  = substr($executable, 0, 1);
-
-						if ($firstChar === '"' || $firstChar === "'") {
-							$closing = strpos($executable, $firstChar, 1);
-
-							if ($closing !== false) {
-								$executable = substr($executable, 1, $closing - 1);
-							} else {
-								$executable = trim($executable, " \t\n\r\0\x0B\"'");
-							}
-						} else {
-							$parts = preg_split('/\s+/', $executable);
-
-							if (is_array($parts) && isset($parts[0])) {
-								$executable = $parts[0];
-							}
-
-							$executable = trim($executable, " \t\n\r\0\x0B\"'");
-						}
-
-						if ($executable !== '' && is_executable($executable)) {
-							$command = $command .
-								' --alert-name=' . cacti_escapeshellarg(clean_up_name($alert['name'])) .
-								' --severity='   . cacti_escapeshellarg($alert['severity']) .
-								' --hostlist='   . cacti_escapeshellarg(implode(',',$hostlist)) .
-								' --message='    . cacti_escapeshellarg($alert['message']);
-
-							$output = array();
-							$return = 0;
-
-							exec($command, $output, $return);
-
-							if ($return != 0) {
-								cacti_log(sprintf('ERROR: Ticket Command Failed.  Alert:%s, Exit:%s, Output:%s', $alert['name'], $return, implode(', ', $output)), false, 'SYSLOG');
-							}
-						}
-					}
-
-					if (trim($alert['command']) != '' && !$found) {
-						$command = alert_replace_variables($alert, $results, $hostname);
-
-						$logMessage = "SYSLOG NOTICE: Executing '$command'";
-
-						$cparts = explode(' ', $command);
-
-						if (is_executable($cparts[0])) {
-							exec($command, $output, $returnCode);
-						} else {
-							exec('/bin/sh ' . $command, $output, $returnCode);
-						}
-
-						// Append the return code to the log message without the dot
-						$logMessage .= " Command return code: $returnCode";
-
-						// Log the combined message
-						cacti_log($logMessage, true, 'SYSTEM');
+					if (!$found) {
+						syslog_execute_alert_command($alert, $results, $hostname);
 					}
 
 				}
@@ -1660,49 +1642,10 @@ function syslog_process_alert($alert, $sql, $params, $count, $hostname = '') {
 
 					alert_setup_environment($alert, $results, $hostlist, $hostname);
 
-					$command = read_config_option('syslog_ticket_command');
+					syslog_execute_ticket_command($alert, $hostlist, 'Command');
 
-					if ($command != '') {
-						$command = trim($command);
-					}
-
-					if ($alert['open_ticket'] == 'on' && $command != '') {
-						if (is_executable($command)) {
-							$command = $command .
-								' --alert-name=' . cacti_escapeshellarg(clean_up_name($alert['name'])) .
-								' --severity='   . cacti_escapeshellarg($alert['severity']) .
-								' --hostlist='   . cacti_escapeshellarg(implode(',',$hostlist)) .
-								' --message='    . cacti_escapeshellarg($alert['message']);
-
-							$output = array();
-							$return = 0;
-
-							exec($command, $output, $return);
-
-							if ($return != 0) {
-								cacti_log(sprintf('ERROR: Command Failed.  Alert:%s, Exit:%s, Output:%s', $alert['name'], $return, implode(', ', $output)), false, 'SYSLOG');
-							}
-						}
-					}
-
-					if (trim($alert['command']) != '' && !$found) {
-						$command = alert_replace_variables($alert, $results, $hostname);
-
-						$logMessage = "SYSLOG NOTICE: Executing '$command'";
-
-						$cparts = explode(' ', $command);
-
-						if (is_executable($cparts[0])) {
-							exec($command, $output, $returnCode);
-						} else {
-							exec('/bin/sh ' . $command, $output, $returnCode);
-						}
-
-						// Append the return code to the log message without the dot
-						$logMessage .= " Command return code: $returnCode";
-
-						// Log the combined message
-						cacti_log($logMessage, true, 'SYSTEM');
+					if (!$found) {
+						syslog_execute_alert_command($alert, $results, $hostname);
 					}
 				}
 			}
@@ -2505,6 +2448,92 @@ function alert_setup_environment(&$alert, $results, $hostlist = array(), $hostna
 	putenv('ALERT_MESSAGES='      . cacti_escapeshellarg(trim(str_replace("\0", ' ', $results['message']))));
 }
 
+/**
+ * syslog_execute_ticket_command - Execute the configured ticket command for an alert
+ *
+ * @param  array  $alert    The alert definition
+ * @param  array  $hostlist The list of affected hosts
+ * @param  string $context  Logging context label
+ *
+ * @return void
+ */
+function syslog_execute_ticket_command($alert, $hostlist, $context) {
+	$command = read_config_option('syslog_ticket_command');
+
+	if ($command != '') {
+		$command = trim($command);
+	}
+
+	if ($alert['open_ticket'] == 'on' && $command != '') {
+		$cparts = preg_split('/\s+/', trim($command));
+		$executable = trim($cparts[0], '"\'');
+
+		if ($executable === '' || strpos($executable, DIRECTORY_SEPARATOR) === false) {
+			cacti_log(sprintf('SYSLOG ERROR: %s executable not found or not an absolute path.  Alert:%s, Command:%s', $context, $alert['name'], $executable), false, 'SYSLOG');
+			return;
+		}
+
+		if (is_executable($executable)) {
+			$command = cacti_escapeshellarg($executable) .
+				' --alert-name=' . cacti_escapeshellarg(clean_up_name($alert['name'])) .
+				' --severity='   . cacti_escapeshellarg($alert['severity']) .
+				' --hostlist='   . cacti_escapeshellarg(implode(',', $hostlist)) .
+				' --message='    . cacti_escapeshellarg($alert['message']);
+
+			$output = array();
+			$return = 0;
+
+			exec($command, $output, $return);
+
+			if ($return != 0) {
+				cacti_log(sprintf('ERROR: %s Failed.  Alert:%s, Exit:%s, Output:%s', $context, $alert['name'], $return, implode(', ', $output)), false, 'SYSLOG');
+			}
+		} else {
+			cacti_log(sprintf('SYSLOG ERROR: %s is not executable.  Alert:%s, Command:%s', $context, $alert['name'], $executable), false, 'SYSLOG');
+		}
+	}
+}
+
+/**
+ * syslog_execute_alert_command - Execute the alert-specific command
+ *
+ * @param  array  $alert    The alert definition
+ * @param  array  $results  The syslog result set
+ * @param  string $hostname The hostname for host-level alerts
+ *
+ * @return void
+ */
+function syslog_execute_alert_command($alert, $results, $hostname) {
+	if (trim($alert['command']) == '') {
+		return;
+	}
+
+	$cparts = preg_split('/\s+/', trim($alert['command']));
+	$executable = trim($cparts[0], '"\'');
+
+	if ($executable === '' || strpos($executable, DIRECTORY_SEPARATOR) === false) {
+		cacti_log(sprintf('SYSLOG ERROR: Alert command executable not found or not an absolute path.  Alert:%s, Command:%s', $alert['name'], $executable), false, 'SYSLOG');
+		return;
+	}
+
+	if (is_executable($executable)) {
+		$command = alert_replace_variables($alert, $results, $hostname);
+
+		$logMessage = "SYSLOG NOTICE: Executing '$command'";
+
+		$output     = array();
+		$returnCode = 0;
+
+		exec($command, $output, $returnCode);
+
+		$logMessage .= " Command return code: $returnCode";
+
+		cacti_log($logMessage, true, 'SYSTEM');
+	} else {
+		cacti_log(sprintf('SYSLOG ERROR: Alert command is not executable.  Alert:%s, Command:%s', $alert['name'], $executable), false, 'SYSLOG');
+	}
+}
+
 /**
  * alert_replace_variables - add command line parameter to the syslog command
  *   or ticket opening script
@@ -2520,6 +2549,12 @@ function alert_replace_variables($alert, $results, $hostname = '') {
 
 	$command = $alert['command'];
 
+	/* Escape the executable so the full command passed to exec() is safe */
+	$cparts = preg_split('/\s+/', trim($command), 2);
+	$executable = trim($cparts[0], '"\'');
+	$args = isset($cparts[1]) ? ' ' . $cparts[1] : '';
+	$command = cacti_escapeshellarg($executable) . $args;
+
 	$command = str_replace('<ALERTID>',  cacti_escapeshellarg($alert['id']), $command);
 	$command = str_replace('<HOSTNAME>', cacti_escapeshellarg($hostname), $command);
 	$command = str_replace('<PRIORITY>', cacti_escapeshellarg($syslog_levels[$results['priority_id']]), $command);

syslog_alerts.php

@@ -934,17 +934,9 @@ function import() {
 }
 
 function alert_import() {
-	$import_text = get_nfilter_request_var('import_text');
-
-	if (trim($import_text) != '') {
-		/* textbox input */
-		$xml_data = $import_text;
-	} elseif (($_FILES['import_file']['tmp_name'] != 'none') && ($_FILES['import_file']['tmp_name'] != '')) {
-		/* file upload */
-		$fp = fopen($_FILES['import_file']['tmp_name'],'r');
-		$xml_data = fread($fp, filesize($_FILES['import_file']['tmp_name']));
-		fclose($fp);
-	} else {
+	$xml_data = syslog_get_import_xml_payload();
+
+	if ($xml_data === false) {
 		header('Location: syslog_alerts.php?header=false');
 		exit;
 	}