harden(weathermap): fix strict false comparison for strpos in target quoting#227
Merged
TheWitness merged 9 commits intoMay 19, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens target serialization in the WeatherMap link and node classes by fixing loose strpos() comparisons so leading spaces are detected correctly.
Changes:
- Uses
=== falsewhen checking whether target strings contain spaces. - Applies the fix consistently in link config output, link JavaScript output, and node config output.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
lib/WeatherMapLink.class.php |
Fixes strict space detection for link target quoting in config and JavaScript serialization. |
lib/WeatherMapNode.class.php |
Fixes strict space detection for node target quoting in config serialization. |
This was referenced May 17, 2026
…quoting Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
…aptitle, prepared cacti-mapper query Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
…ption Reject extra_options containing quotes or backslashes with a wm_warn log entry rather than silently tokenizing flag=value pairs that contain spaces. Flags like --title "My Map" would otherwise become three malformed tokens. Documents that this field accepts only space-separated single-token flags. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
somethingwithproof
force-pushed
the
hardening/weathermap
branch
from
1c18e9e to
46cde86
Compare
…options log visibility setup.php: db_fetch_cell -> db_fetch_cell_prepared per project rule. WeatherMapLink: DrawComments and the post-draw label path both crash with TypeError on PHP 8 when curvepoints is empty. Add early return guard. WeatherMapDataSource_rrd: rrd_options rejection was silent at default verbosity. Supplement wm_warn with cacti_log at POLLER_VERBOSITY_LOW so operators see the skip without enabling debug logging. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Signed-off-by: TheWitness <thewitness@cacti.net>
Signed-off-by: TheWitness <thewitness@cacti.net>
TheWitness
approved these changes
May 18, 2026
xmacan
approved these changes
May 18, 2026
bmfmancini
approved these changes
May 18, 2026
TheWitness
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
strpos($target[4], ' ') == false→=== falseat three sites inWeatherMapLink::WriteConfig(),WeatherMapLink::asJS(), andWeatherMapNode::WriteConfig()cacti_escapeshellarg()to the rrdtool binary path in both ReadData call sites ofWeatherMapDataSource_rrd.phpcacti_escapeshellarg()to the fping binary path inWeatherMapDataSource_fping.phprrd_optionsagainst quoted/backslash arguments that would break shell word splitting; emitcacti_log()at POLLER_VERBOSITY_LOW alongsidewm_warn()so operators see the rejection without enabling debug verbosityhtml_escape($map->title)in map title output; prepared statement inweathermap-cacti-plugin.phpcacti-mapper querydb_fetch_cell_prepared()for the version check insetup.phpDrawCommentsand the post-draw label path to prevent fatalTypeErroron PHP 8.x when degenerate geometry produces an empty curvepoints arrayWhy
strposreturns0(notfalse) when the match is at position 0; loose==comparison incorrectly skips quoting for strings that begin with a space. The shell-escape and rrd_options guard address a class of argument injection that would allow rrdtool to receive attacker-controlled arguments. The PHP 8 curvepoints crash is a regression path on any map with degenerate link geometry.Test plan
0) is treated as containing a space and quotedrrd_optionsto a value containing a"quote; confirm the map logs a WEATHERMAP warning visible in the standard Cacti poller log and no data is corrupted