From 6f160e717629ed17ba744ef15198ea18226f943e Mon Sep 17 00:00:00 2001 From: Bart Van Der Meerssche Date: Tue, 25 Aug 2009 11:48:56 +0000 Subject: [PATCH] web: add security check on old XMLRPC API --- web/drupal/modules/logger/logger.module | 4 +- web/drupal/modules/logger/xmlrpc.inc | 64 +++++++++++++------------ 2 files changed, 35 insertions(+), 33 deletions(-) diff --git a/web/drupal/modules/logger/logger.module b/web/drupal/modules/logger/logger.module index b4e8e7b..f7c8863 100644 --- a/web/drupal/modules/logger/logger.module +++ b/web/drupal/modules/logger/logger.module @@ -156,7 +156,7 @@ function logger_menu() { * Callback functions registered in the logger_menu section */ function _logger_dashboard($type, $function, $interval) { - watchdog('dashboard', 'arguments: %type, %function, %interval', array('%type' => $type, '%function' => $function, '%interval' => $interval), WATCHDOG_DEBUG); + // watchdog('dashboard', 'arguments: %type, %function, %interval', array('%type' => $type, '%function' => $function, '%interval' => $interval), WATCHDOG_DEBUG); if (user_access('logger')) { drupal_set_title(t('your dashboard')); @@ -240,7 +240,7 @@ function _logger_dashboard($type, $function, $interval) { $command .= $string->def; $command .= $string->line; exec($command, $output, $return_var); - watchdog('dashboard', 'arguments: %command ++ %output ++ %return_var', array('%command' => $command, '%output' => serialize($output), '%return_var' => $return_var), WATCHDOG_DEBUG); + // watchdog('dashboard', 'arguments: %command ++ %output ++ %return_var', array('%command' => $command, '%output' => serialize($output), '%return_var' => $return_var), WATCHDOG_DEBUG); return theme('chart', $graph_path . $pngid .'.png'); } diff --git a/web/drupal/modules/logger/xmlrpc.inc b/web/drupal/modules/logger/xmlrpc.inc index 81e708e..a2a4229 100644 --- a/web/drupal/modules/logger/xmlrpc.inc +++ b/web/drupal/modules/logger/xmlrpc.inc @@ -63,41 +63,43 @@ function _logger_measurement_add($logs) { $path->night = $path->root .'/data/night/'; foreach ($logs as $meter => $measurements) { //load the normalisation factor, relative to 1pulse = 1Wh - $meterdata = db_fetch_object(db_query("SELECT night, factor FROM {logger_meters} WHERE meter = '%s'", $meter)); - $command = $path->root .'/rrdtool update '. $path->base . $meter .'.rrd '; - ksort($measurements); // sort the key-value pairs in the associative array by key, i.e. the timestamp - foreach ($measurements as $timestamp => $value) { - if (is_numeric($timestamp) and is_numeric($value)) { - $command .= $timestamp .':'. $value*$meterdata->factor .' '; - } - else { - watchdog_xmlrpc('logger.measurementAdd', 'corrupted input data for %meter : %timestamp : %value', array('%meter' => $meter, '%timestamp' => $timestamp, '%value' => $value), WATCHDOG_ERROR); - } - } - system($command, $return); - if ($return == 0) { - // update the night rrd every day at 6AM UTC - if (time() > $meterdata->night) { - $timestamp = floor(time()/86400)*86400; - $start = $timestamp + 3600; - $end = $start + 10800; //3h time interval - $command = $path->root ."/rrdtool fetch ". $path->base . $meter .".rrd AVERAGE -r 900 -s ". $start ." -e ". $end ." | tail -n 12 | awk -F': ' '{SUM += $2} END {print SUM/12}'"; - $night = (float)shell_exec($command); //test shell_exec iso system - $command = $path->root .'/rrdtool update '. $path->night . $meter .'.rrd '. $timestamp .':'. $night; - system($command, $return); - if ($return == 0) { - watchdog_xmlrpc('logger.measurementAdd', 'successful update for night rrd: %command', array('%command' => $command), WATCHDOG_NOTICE); //debugging + $meterdata = db_fetch_object(db_query("SELECT uid, night, factor FROM {logger_meters} WHERE meter = '%s'", $meter)); + if ($meterdata->uid < 5) { // only alpha users are allowed to call this API + $command = $path->root .'/rrdtool update '. $path->base . $meter .'.rrd '; + ksort($measurements); // sort the key-value pairs in the associative array by key, i.e. the timestamp + foreach ($measurements as $timestamp => $value) { + if (is_numeric($timestamp) and is_numeric($value)) { + $command .= $timestamp .':'. $value*$meterdata->factor .' '; } else { - watchdog_xmlrpc('logger.measurementAdd', 'error updating night rrd: %command', array('%command' => $command), WATCHDOG_ERROR); //debugging + watchdog_xmlrpc('logger.measurementAdd', 'corrupted input data for %meter : %timestamp : %value', array('%meter' => $meter, '%timestamp' => $timestamp, '%value' => $value), WATCHDOG_ERROR); } - $meterdata->night = $timestamp + 104400; //add an offset of 29h, i.e. 5AM UTC next day } - // {logger_meters} is updated with the true metervalue $value, NOT $value*$meterdata->factor since we're not normalising this entry! - db_query("UPDATE {logger_meters} SET access = %d, night = %d, value = %d WHERE meter = '%s'", time(), $meterdata->night, $value, $meter); - } - else { - watchdog_xmlrpc('logger.measurementAdd', 'shell command execution failed: %return %command', array('%command' => $command, '%return' => $return), WATCHDOG_ERROR); + system($command, $return); + if ($return == 0) { + // update the night rrd every day at 6AM UTC + if (time() > $meterdata->night) { + $timestamp = floor(time()/86400)*86400; + $start = $timestamp + 3600; + $end = $start + 10800; //3h time interval + $command = $path->root ."/rrdtool fetch ". $path->base . $meter .".rrd AVERAGE -r 900 -s ". $start ." -e ". $end ." | tail -n 12 | awk -F': ' '{SUM += $2} END {print SUM/12}'"; + $night = (float)shell_exec($command); //test shell_exec iso system + $command = $path->root .'/rrdtool update '. $path->night . $meter .'.rrd '. $timestamp .':'. $night; + system($command, $return); + if ($return == 0) { + watchdog_xmlrpc('logger.measurementAdd', 'successful update for night rrd: %command', array('%command' => $command), WATCHDOG_NOTICE); //debugging + } + else { + watchdog_xmlrpc('logger.measurementAdd', 'error updating night rrd: %command', array('%command' => $command), WATCHDOG_ERROR); //debugging + } + $meterdata->night = $timestamp + 104400; //add an offset of 29h, i.e. 5AM UTC next day + } + // {logger_meters} is updated with the true metervalue $value, NOT $value*$meterdata->factor since we're not normalising this entry! + db_query("UPDATE {logger_meters} SET access = %d, night = %d, value = %d WHERE meter = '%s'", time(), $meterdata->night, $value, $meter); + } + else { + watchdog_xmlrpc('logger.measurementAdd', 'shell command execution failed: %return %command', array('%command' => $command, '%return' => $return), WATCHDOG_ERROR); + } } } return $command; //using $command for testing purposes, replace by $info afterwards