fix(security): do not allow to get all services using downtime ajax f…

…ile (#8022)
centreon · Oct 28, 2019 · 1722da5 · 1722da5
1 parent 0a02bd2
commit 1722da5
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 1,025 deletions.
diff --git a/www/include/monitoring/recurrentDowntime/GetXMLHost4Services.php b/www/include/monitoring/recurrentDowntime/GetXMLHost4Services.php
diff --git a/www/include/monitoring/recurrentDowntime/ajaxPeriods.php b/www/include/monitoring/recurrentDowntime/ajaxPeriods.php
@@ -36,30 +36,21 @@
  *
  */
 
-    header('Content-Type: application/json');
-    header('Cache-Control: no-cache');
+header('Content-Type: application/json');
+header('Cache-Control: no-cache');
 
-    require_once realpath(dirname(__FILE__) . "/../../../../config/centreon.config.php");
-    require_once _CENTREON_PATH_ . "/www/class/centreonDB.class.php";
-    require_once _CENTREON_PATH_ . "/www/class/centreonDowntime.class.php";
+require_once __DIR__ . "/../../../../config/centreon.config.php";
+require_once _CENTREON_PATH_ . "/www/class/centreonDB.class.php";
+require_once _CENTREON_PATH_ . "/www/class/centreonDowntime.class.php";
 
-    $pearDB = new CentreonDB();
-
-if (isset($_GET['dt_id'])) {
-    $id = $_GET['dt_id'];
-} else {
-    $id = 0;
-}
-
-    $path = _CENTREON_PATH_ . "www/include/monitoring/recurrentDowntime/";
+$downtimeId = filter_input(INPUT_GET, 'dt_id', FILTER_VALIDATE_INT);
 
+if (!empty($downtimeId)) {
+    $pearDB = new CentreonDB();
     $downtime = new CentreonDowntime($pearDB);
-
-    require_once $path . 'json.php';
-if ($id == 0) {
-    $periods = array();
+    $periods = $downtime->getPeriods($downtimeId);
 } else {
-    $periods = $downtime->getPeriods($id);
+    $periods = array();
 }
-    $json = new Services_JSON();
-    print $json->encode($periods);
+
+print json_encode($periods);
diff --git a/www/include/monitoring/recurrentDowntime/formDowntime.html b/www/include/monitoring/recurrentDowntime/formDowntime.html
@@ -53,62 +53,6 @@
     return false;
 }
 
-function getXhrHost4Svc(){
-    if (window.XMLHttpRequest) // Firefox et autres
-        var xhrT = new XMLHttpRequest();
-    else if(window.ActiveXObject){ // Internet Explorer
-        try {
-            var xhrT = new ActiveXObject("Msxml2.XMLHTTP");
-        } catch (e) {
-            var xhrT = new ActiveXObject("Microsoft.XMLHTTP");
-        }
-    } else { // XMLHttpRequest non support2 par le navigateur
-        alert("Votre navigateur ne supporte pas les objets XMLHTTPRequest...");
-        var xhrT = false;
-    }
-    return xhrT;
-}
-
-function getServices(host_id) {
-    var arg = 'host_id='+host_id;
-    var xhrT = getXhrHost4Svc();
-
-    xhrT.open("POST","./include/monitoring/recurrentDowntime/GetXMLHost4Services.php", true);
-    xhrT.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
-    xhrT.send(arg);
-
-    /* Responce */
-    xhrT.onreadystatechange = function()
-    {
-        // Responce Ok
-        if (xhrT && xhrT.readyState == 4 && xhrT.status == 200 && xhrT.responseXML){
-            reponseT = xhrT.responseXML.documentElement;
-            var _services = reponseT.getElementsByTagName("service");
-
-            var _selbox = document.getElementById("svc_relation-f");
-            while ( _selbox.options.length > 0 ){
-                _selbox.options[0] = null;
-            }
-
-
-            if (_services.length == 0) {
-                _selbox.setAttribute('disabled', 'disabled');
-            } else {
-                _selbox.removeAttribute('disabled');
-            }
-
-            for (var i = 0 ; i < _services.length ; i++) {
-                var _service = _services[i];
-                var _id = _service.getElementsByTagName("id")[0].firstChild.nodeValue;
-                var _name = _service.getElementsByTagName("name")[0].firstChild.nodeValue;
-
-                new_elem = new Option(_name,_id);
-                _selbox.options[_selbox.length] = new_elem;
-            }
-        }
-    };
-}
-
 /*
  * Validate form
  */