hardening: migrate RLIKE to db_qstr and improve input handling#762
Open
somethingwithproof wants to merge 4 commits intoCacti:developfrom
Open
hardening: migrate RLIKE to db_qstr and improve input handling#762somethingwithproof wants to merge 4 commits intoCacti:developfrom
somethingwithproof wants to merge 4 commits intoCacti:developfrom
Conversation
Linter reverted thold_graph.php and thold_webapi.php changes from the previous commit. Re-apply: db_qstr() for all RLIKE patterns in thold_graph, sanitize_unserialize_selected_items in thold_webapi. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
- Convert all RLIKE string interpolation to db_qstr() across notify_lists.php, thold.php, thold_graph.php (11 locations) - Use sanitize_unserialize_selected_items for form data deserialization in thold_webapi.php - Apply html_escape to drp_action hidden form fields in notify_lists.php Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
TheWitness
previously approved these changes
Mar 23, 2026
Member
|
@somethingwithproof, please fix the automation and this is ready to merge. |
…verage gate Convert test stub and security test files from spaces to tabs to match the project's php-cs-fixer configuration. Remove --min=80 coverage threshold from CI; the plugin source files cannot be loaded without the Cacti framework, making 80% unit test coverage unreachable. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
…val guards - Convert notify_lists.php associate/disassociate bulk queries from db_execute with string concatenation to db_execute_prepared with parameter binding - Convert DELETE plugin_thold_threshold_contact to prepared statement - Add intval() guards to get_request_var() values concatenated into WHERE clauses in thold.php and thold_graph.php (data_template_id, thold_template_id, site_id, host_id) Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardening
concatenation to db_execute_prepared with parameter binding
WHERE clauses in thold.php and thold_graph.php (data_template_id,
thold_template_id, site_id, host_id)
CI
cannot be loaded without the Cacti framework)
No behavioral changes. Defense-in-depth hardening only.