hardening: prepared statements, PHP 7.4 idioms, and security fixes#365
hardening: prepared statements, PHP 7.4 idioms, and security fixes#365somethingwithproof wants to merge 8 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Hardening-focused update for the Intropage plugin, aiming to reduce injection risk and modernize some PHP idioms in panel and admin code paths.
Changes:
- Added explicit integer casting for SQL-concatenated numeric values (template IDs, LIMIT counts, ports).
- Replaced
isset()-based ternaries with??for defaulting values. - Introduced a prepared statement for
graph_tree_itemsparent lookups and used??=for session defaulting.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
panellib/busiest.php |
Casts interpolated numeric values used in SQL query construction (data_template_id, LIMIT). |
panellib/analyze.php |
Casts snmp_port in a host lookup query; uses a prepared statement for tree parent traversal. |
include/settings.php |
Uses null coalescing (??) for injecting default form variables and panel defaults. |
include/functions.php |
Uses null coalescing (??) for panel height defaults; uses ??= for session initialization. |
| if (!isset($_SESSION['sess_current_timespan'])) { | ||
| $_SESSION['sess_current_timespan'] = read_user_setting('default_timespan'); | ||
| } | ||
| $_SESSION['sess_current_timespan'] ??= read_user_setting('default_timespan'); |
There was a problem hiding this comment.
??= is a PHP 7.4-only operator. If this plugin still targets PHP 7.0–7.3 (common with older Cacti installs), this will cause a parse error and take the page down. Either revert to an isset()/?? assignment pattern compatible with the supported minimum PHP version, or explicitly document/enforce PHP 7.4+ as a requirement for the plugin.
| $_SESSION['sess_current_timespan'] ??= read_user_setting('default_timespan'); | |
| if (!isset($_SESSION['sess_current_timespan'])) { | |
| $_SESSION['sess_current_timespan'] = read_user_setting('default_timespan'); | |
| } |
There was a problem hiding this comment.
Cacti 1.2.x requires PHP 7.4 minimum. The ??= operator is safe for all supported versions.
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Add targeted tests for prepared statement migration, output escaping, auth guard presence, CSRF token validation, redirect safety, and PHP 7.4 compatibility. Tests use source-scan patterns that verify security invariants without requiring the Cacti database. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
6e5fa70 to
8337113
Compare
Consolidated hardening PR:
4 files changed, 35 insertions(+), 37 deletions(-)
All changes are mechanical transforms with zero behavioral impact. PHP 7.4+ compatible.