[cacti] fix comments in thumbnails (BZ #1004550)

Sun Sep 8 21:52:25 UTC 2013

commit b0f42c247ca8d17f83f4502f19b09a2bdd69fcf0
Author: Ken Dreyer <ktdreyer at ktdreyer.com>
Date:   Sun Sep 8 14:55:53 2013 -0600

    fix comments in thumbnails (BZ #1004550)

 cacti-0.8.8b-rra-comments.patch |   42 +++++++++++++++++++++++++++++++++++++++
 cacti.spec                      |   10 ++++++++-
 2 files changed, 51 insertions(+), 1 deletions(-)
---

diff --git a/cacti-0.8.8b-rra-comments.patch b/cacti-0.8.8b-rra-comments.patch
new file mode 100644
index 0000000..c5becfe
--- /dev/null
+++ b/cacti-0.8.8b-rra-comments.patch
@@ -0,0 +1,42 @@
+------------------------------------------------------------------------
+r7418 | gandalf | 2013-08-13 13:32:49 -0600 (Tue, 13 Aug 2013) | 1 line
+
+fix COMMENT handling, even in case COMMENT is empty, with or without HR and with variable substitution
+------------------------------------------------------------------------
+Index: branches/0.8.8/lib/rrd.php
+===================================================================
+--- branches/0.8.8/lib/rrd.php	(revision 7417)
++++ branches/0.8.8/lib/rrd.php	(revision 7418)
+@@ -1343,20 +1343,20 @@
+ 		$need_rrd_nl = TRUE;
+ 
+ 		if ($graph_item_types{$graph_item["graph_type_id"]} == "COMMENT") {
++			# perform variable substitution first (in case this will yield an empty results or brings command injection problems)
++			$comment_arg = rrd_substitute_host_query_data($graph_variables["text_format"][$graph_item_id], $graph, $graph_item);
++			# next, compute the argument of the COMMENT statement and perform injection counter measures
++			if (trim($comment_arg) == '') { # an empty COMMENT must be treated with care
++				$comment_arg = cacti_escapeshellarg(' ' . $hardreturn[$graph_item_id]);
++			} else {
++				$comment_arg = cacti_escapeshellarg($comment_arg . $hardreturn[$graph_item_id]);
++			}
++
++			# create rrdtool specific command line
+ 			if (read_config_option("rrdtool_version") != "rrd-1.0.x") {
+-				$comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id])) . " ";
+-				if (trim($comment_string) == 'COMMENT:"\n"') {
+-					$txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work
+-				} else if (trim($comment_string) != "COMMENT:\"\"") {
+-					$txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);
+-				}
++				$txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", $comment_arg) . " ";
+ 			}else {
+-				$comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id]) . " ";
+-				if (trim($comment_string) == 'COMMENT:"\n"') {
+-					$txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work
+-				} else if (trim($comment_string) != "COMMENT:\"\"") {
+-					$txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);
+-				}
++				$txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . $comment_arg . " ";
+ 			}
+ 		}elseif (($graph_item_types{$graph_item["graph_type_id"]} == "GPRINT") && (!isset($graph_data_array["graph_nolegend"]))) {
+ 			$graph_variables["text_format"][$graph_item_id] = str_replace(":", "\:", $graph_variables["text_format"][$graph_item_id]); /* escape colons */
diff --git a/cacti.spec b/cacti.spec
index 35c4bab..94f4e1d 100644
--- a/cacti.spec
+++ b/cacti.spec
@@ -1,6 +1,6 @@
 Name: cacti
 Version: 0.8.8b
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: An rrd based graphing tool
 
 Group: Applications/System
@@ -30,6 +30,10 @@ Patch1: cacti-0.8.8a-replace_treeview_by_jquery.jstree.patch
 # https://bugzilla.redhat.com/1000860
 Patch2: cacti-0.8.8b-sanitize-variables.patch
 
+# Upstream patch to fix graph comments
+# https://bugzilla.redhat.com/1004550
+Patch3: cacti-0.8.8b-rra-comments.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp
@@ -57,6 +61,7 @@ used to creating traffic graphs with MRTG.
 %patch0 -p1
 %patch1 -p1 -b .notreeview
 %patch2 -p2 -b .sanitize
+%patch3 -p2 -b .comments
 cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/
 rm -rf include/treeview
 
@@ -147,6 +152,9 @@ fi
 %attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib
 
 %changelog
+* Wed Sep 04 2013 Ken Dreyer <ktdreyer at ktdreyer.org> - 0.8.8b-3
+- Fix comments in thumbnails (BZ #1004550)
+
 * Mon Aug 26 2013 Ken Dreyer <ktdreyer at ktdreyer.org> - 0.8.8b-2
 - Patch for CVE-2013-5588 and CVE-2013-5589 (BZ #1000860)
 
