fix: file-size guard on XML import; parameterize seq IN-list with array_map/implode

Signed-off-by: Thomas Vincent <[email protected]>

Author: somethingwithproof

functions.php

@@ -182,6 +182,12 @@ function syslog_apply_selected_items_action($selected_items, $drp_action, $actio
 }
 
 function syslog_get_import_xml_payload($redirect_url) {
+	/* Reject non-relative redirect targets to prevent open redirect.
+	   All legitimate callers pass a relative path (e.g. syslog_removal.php?header=false). */
+	if (preg_match('/^(?:[a-z][a-z\d+\-.]*:|\/{2})/i', $redirect_url)) {
+		$redirect_url = 'index.php';
+	}
+
 	if (trim(get_nfilter_request_var('import_text')) != '') {
 		/* textbox input */
 		return get_nfilter_request_var('import_text');
@@ -203,6 +209,12 @@ function syslog_get_import_xml_payload($redirect_url) {
 			exit;
 		}
 
+		if ($_FILES['import_file']['size'] > 1048576) {
+			cacti_log('SYSLOG ERROR: Uploaded import file exceeds 1 MB limit', false, 'SYSTEM');
+			header('Location: ' . $redirect_url);
+			exit;
+		}
+
 		$fp = fopen($tmp_name, 'rb');
 
 		if ($fp === false) {
@@ -415,6 +427,16 @@ function syslog_partition_remove($table) {
 				while ($user_partitions > $days) {
 					$oldest = $number_of_partitions[$i];
 
+					/* PARTITION_NAME comes from information_schema, but validate the
+					   format before DDL interpolation — MySQL does not support parameter
+					   binding for DDL statements. */
+					if (!preg_match('/^d\d{8}$/', $oldest['PARTITION_NAME'])) {
+						cacti_log("SYSLOG ERROR: Unexpected partition name format '" . $oldest['PARTITION_NAME'] . "' for table '$table', skipping", false, 'SYSTEM');
+						$i++;
+						$user_partitions--;
+						continue;
+					}
+
 					cacti_log("SYSLOG: Removing old partition '" . $oldest['PARTITION_NAME'] . "' from table '$table'", false, 'SYSTEM');
 
 					syslog_debug("Removing partition '" . $oldest['PARTITION_NAME'] . "' from table '$table'");
@@ -926,13 +948,8 @@ function syslog_manage_items($from_table, $to_table) {
 					syslog_debug(sprintf('Found   %5s - Message(s)', cacti_sizeof($move_records)));
 
 					if (cacti_sizeof($move_records)) {
-						$all_seq = '';
 						$messages_moved = 0;
-						foreach($move_records as $move_record) {
-							$all_seq = $all_seq . ", " . $move_record['seq'];
-						}
-
-						$all_seq = preg_replace('/^,/i', '', $all_seq);
+						$all_seq = implode(',', array_map('intval', array_column($move_records, 'seq')));
 						syslog_db_execute_prepared("INSERT INTO `". $syslogdb_default . "`.`". $to_table ."`
 							(facility_id, priority_id, host_id, logtime, message)
 							(SELECT facility_id, priority_id, host_id, logtime, message

tests/regression/issue252_xss_output_test.php

@@ -25,6 +25,18 @@
 	exit(1);
 }
 
+$alertsPhp = file_get_contents(dirname(__DIR__, 2) . '/syslog_alerts.php');
+
+if ($alertsPhp === false) {
+	fwrite(STDERR, "Failed to load syslog_alerts.php for issue252 checks.\n");
+	exit(1);
+}
+
+if (strpos($alertsPhp, "html_escape(\$alert_info)") === false) {
+	fwrite(STDERR, "Expected escaped alert confirmation list entries.\n");
+	exit(1);
+}
+
 if (strpos($reportsPhp, "form_selectable_ecell(\$report['message'], \$report['id']);") === false) {
 	fwrite(STDERR, "Expected escaped report message cell rendering.\n");
 	exit(1);