security(hardening): cacti_form_action_label() and html_escape graph_list (1.2.x)

aggregate_graphs.php

@@ -341,7 +341,7 @@ function form_actions() {
 
 	form_start('aggregate_graphs.php');
 
-	html_start_box($graph_actions[get_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($graph_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	$save_html = '';
 
@@ -536,7 +536,7 @@ function form_actions() {
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='local_graph_id' value='" . (isset_request_var('local_graph_id') ? get_nfilter_request_var('local_graph_id'):0) . "'>
 			<input type='hidden' name='selected_items' value='" . (isset($graph_array) ? serialize($graph_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>";

aggregate_templates.php

@@ -309,7 +309,7 @@ function aggregate_form_actions() {
 
 	form_start('aggregate_templates.php');
 
-	html_start_box($aggregate_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($aggregate_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($aggregate_array) && cacti_sizeof($aggregate_array)) {
 		if (get_nfilter_request_var('drp_action') == '1') { /* delete */

automation_devices.php

@@ -166,7 +166,7 @@ function form_actions() {
 
 	form_start('automation_devices.php', 'chk');
 
-	html_start_box($device_actions[get_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($device_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	$available_host_templates = db_fetch_assoc_prepared('SELECT id, name FROM host_template ORDER BY name');
 
@@ -241,7 +241,7 @@ function form_actions() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($device_array) ? serialize($device_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>";

automation_graph_rules.php

@@ -294,7 +294,7 @@ function automation_graph_rules_form_actions() {
 
 	form_start('automation_graph_rules.php', 'automation_graph_rules');
 
-	html_start_box($automation_graph_rules_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($automation_graph_rules_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (get_nfilter_request_var('drp_action') == AUTOMATION_ACTION_GRAPH_DELETE) { /* delete */
 		print "<tr>

automation_networks.php

@@ -344,7 +344,7 @@ function form_actions() {
 
 	form_start('automation_networks.php');
 
-	html_start_box($network_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($network_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (get_nfilter_request_var('drp_action') == '1') { /* delete */
 		print "<tr>

automation_snmp.php

@@ -220,7 +220,7 @@ function goTo(location) {
 
 	form_start('automation_snmp.php', 'automation_filter');
 
-	html_start_box($automation_snmp_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($automation_snmp_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (!isset($automation_array)) {
 		raise_message(40);

automation_templates.php

@@ -153,7 +153,7 @@ function form_actions() {
 
 	form_start('automation_templates.php');
 
-	html_start_box($at_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($at_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($at_array) && cacti_sizeof($at_array)) {
 		if (get_nfilter_request_var('drp_action') == '1') { /* delete */

automation_tree_rules.php

@@ -277,7 +277,7 @@ function automation_tree_rules_form_actions() {
 
 	form_start('automation_tree_rules.php', 'automation_tree_rules_action');
 
-	html_start_box($automation_tree_rules_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($automation_tree_rules_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (get_nfilter_request_var('drp_action') == AUTOMATION_ACTION_TREE_DELETE) { /* DELETE */
 		print "<tr>

cdef.php

@@ -262,7 +262,7 @@ function form_actions() {
 
 	form_start('cdef.php');
 
-	html_start_box($cdef_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($cdef_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($cdef_array) && cacti_sizeof($cdef_array)) {
 		if (get_nfilter_request_var('drp_action') == '1') { /* delete */

color.php

@@ -178,7 +178,7 @@ function form_actions() {
 
 	form_start('color.php');
 
-	html_start_box($color_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($color_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($color_array) && cacti_sizeof($color_array)) {
 		if (get_nfilter_request_var('drp_action') == '1') { /* delete */
@@ -201,7 +201,7 @@ function form_actions() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($color_array) ? serialize($color_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>\n";

color_templates.php

@@ -229,7 +229,7 @@ function aggregate_color_form_actions() {
 
 	form_start('color_templates.php');
 
-	html_start_box($aggregate_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($aggregate_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($color_array) && cacti_sizeof($color_array)) {
 		if (get_request_var('drp_action') == '1') { /* delete */
@@ -273,7 +273,7 @@ function aggregate_color_form_actions() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($color_array) ? serialize($color_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>\n";

data_input.php

@@ -273,7 +273,7 @@ function form_actions() {
 
 	form_start('data_input.php');
 
-	html_start_box($di_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($di_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($di_array) && cacti_sizeof($di_array)) {
 		if (get_request_var('drp_action') == '1') { // delete

data_queries.php

@@ -398,7 +398,7 @@ function form_actions() {
 
 	form_start('data_queries.php');
 
-	html_start_box($dq_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($dq_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($dq_array) && cacti_sizeof($dq_array)) {
 		if (get_nfilter_request_var('drp_action') == '1') { /* delete */

data_source_profiles.php

@@ -291,7 +291,7 @@ function form_actions() {
 
 	form_start('data_source_profiles.php');
 
-	html_start_box($profile_actions[get_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($profile_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($profile_array) && cacti_sizeof($profile_array)) {
 		if (get_request_var('drp_action') == '1') { // delete
@@ -324,7 +324,7 @@ function form_actions() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($profile_array) ? serialize($profile_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>\n";

data_sources.php

@@ -488,7 +488,7 @@ function form_actions() {
 
 	form_start('data_sources.php');
 
-	html_start_box($ds_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($ds_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($ds_array) && cacti_sizeof($ds_array)) {
 		if (get_nfilter_request_var('drp_action') == '1') { /* delete */

data_templates.php

@@ -453,7 +453,7 @@ function form_actions() {
 
 	form_start('data_templates.php');
 
-	html_start_box($ds_actions[get_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($ds_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($ds_array) && cacti_sizeof($ds_array)) {
 		if (get_request_var('drp_action') == '1') { // delete
@@ -502,7 +502,7 @@ function form_actions() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($ds_array) ? serialize($ds_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>\n";

gprint_presets.php

@@ -139,7 +139,7 @@ function form_actions() {
 
 	form_start('gprint_presets.php');
 
-	html_start_box($gprint_actions[get_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($gprint_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($gprint_array) && cacti_sizeof($gprint_array)) {
 		if (get_request_var('drp_action') == '1') { /* delete */
@@ -162,7 +162,7 @@ function form_actions() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($gprint_array) ? serialize($gprint_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>\n";

graph_templates.php

@@ -362,7 +362,7 @@ function form_actions() {
 
 	form_start('graph_templates.php');
 
-	html_start_box($graph_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($graph_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($graph_array) && cacti_sizeof($graph_array)) {
 		if (get_request_var('drp_action') == '1') { // delete

graphs.php

@@ -826,7 +826,7 @@ function form_actions() {
 
 	form_start('graphs.php');
 
-	html_start_box($graph_actions[get_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($graph_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($graph_array) && cacti_sizeof($graph_array)) {
 		if (get_request_var('drp_action') == '1') { // delete
@@ -1007,8 +1007,8 @@ function form_actions() {
 				print '<tr>';
 				print "<td class='textArea'>
 					<p>" . __('Click \'Continue\' to create an Aggregate Graph from the selected Graph(s).'). "</p>
-					<div class='itemlist'><ul>" . get_nfilter_request_var('graph_list') . '</ul></div>
-				</td></tr>';
+					<div class='itemlist'><ul>$graph_list</ul></div>
+				</td></tr>";
 
 				/* list affected data sources */
 				print '<tr>';
@@ -1290,7 +1290,7 @@ function checkSubmit() {
 				$save_html = "<input type='button' class='ui-button ui-corner-all ui-widget cactiReturnTo' value='" . __esc('Return') . "'>";
 			}
 		} else {
-			$save['drp_action'] = get_nfilter_request_var('drp_action');
+			$save['drp_action'] = get_request_var('drp_action');
 			$save['graph_list'] = $graph_list;
 			$save['graph_array'] = (isset($graph_array) ? $graph_array : array());
 
@@ -1308,7 +1308,7 @@ function checkSubmit() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($graph_array) ? serialize($graph_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>";

host.php

@@ -392,7 +392,7 @@ function form_actions() {
 
 	form_start('host.php');
 
-	html_start_box($device_actions[get_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($device_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($host_array) && cacti_sizeof($host_array)) {
 		if (get_request_var('drp_action') == '2') { // Enable Devices

host_templates.php

@@ -214,7 +214,7 @@ function form_actions() {
 
 	form_start('host_templates.php');
 
-	html_start_box($host_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($host_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($host_array) && cacti_sizeof($host_array)) {
 		if (get_request_var('drp_action') == '1') { // delete
@@ -262,7 +262,7 @@ function form_actions() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($host_array) ? serialize($host_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>\n";

lib/functions.php

@@ -8412,6 +8412,29 @@ function cacti_validate_sort_column(string $column, array $allowed, string $defa
 	return $default !== '' ? $default : (count($allowed) > 0 ? $allowed[0] : 'id');
 }
 
+/**
+ * escape_page_action - Look up a drp_action key in an actions array and return
+ * the matching label, html_escape()'d and ready for direct output.
+ *
+ * The key is used only for the array lookup, so a non-scalar or unknown key
+ * yields $default. Plugin hooks (api_plugin_hook_function) may substitute
+ * labels containing HTML, so the result is escaped here; callers output it
+ * directly without a second html_escape().
+ *
+ * @param array  $actions     Associative array mapping drp_action values to labels.
+ * @param mixed  $drp_action  The drp_action key to look up; non-scalar keys yield $default.
+ * @param string $default     Label to return when the key is absent from the array.
+ *
+ * @return string  The html_escape()'d matched label, or $default.
+ */
+function escape_page_action(array $actions, $drp_action, string $default = ''): string {
+	if (!is_string($drp_action) && !is_int($drp_action)) {
+		return $default;
+	}
+
+	return html_escape(isset($actions[$drp_action]) ? $actions[$drp_action] : $default);
+}
+
 /**
  * cacti_http - SSRF-hardened HTTP GET.
  *

lib/html_reports.php

@@ -516,7 +516,7 @@ function ($rid) {
 
 	form_start(get_reports_page(), 'report');
 
-	html_start_box($reports_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($reports_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (!isset($reports_array)) {
 		raise_message(40);

links.php

@@ -188,7 +188,7 @@ function form_actions() {
 
 	form_start('links.php');
 
-	html_start_box($link_actions[get_request_var_post('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($link_actions, get_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($pages) && cacti_sizeof($pages)) {
 		if (get_request_var('drp_action') == '3') { // Enable Pages
@@ -229,7 +229,7 @@ function form_actions() {
 		<td>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($pages) ? serialize($pages) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>";

managers.php

@@ -1015,7 +1015,7 @@ function form_actions() {
 
 			form_start('managers.php');
 
-			html_start_box($manager_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+			html_start_box(escape_page_action($manager_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 			if (cacti_sizeof($selected_items)) {
 				if (get_nfilter_request_var('drp_action') == '1') { // delete
@@ -1080,7 +1080,7 @@ function form_actions() {
 
 			form_start('managers.php');
 
-			html_start_box($manager_notification_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+			html_start_box(escape_page_action($manager_notification_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 			if (cacti_sizeof($selected_items)) {
 				$msg = (get_nfilter_request_var('drp_action') == 2)

pollers.php

@@ -550,7 +550,7 @@ function form_actions() {
 
 	form_start('pollers.php');
 
-	html_start_box($poller_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($poller_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($poller_array) && cacti_sizeof($poller_array)) {
 		if (get_nfilter_request_var('drp_action') == '1') { // delete

sites.php

@@ -369,7 +369,7 @@ function form_actions() {
 
 	form_start('sites.php');
 
-	html_start_box($site_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($site_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($site_array) && cacti_sizeof($site_array)) {
 		if (get_nfilter_request_var('drp_action') == '1') { /* delete */

tree.php

@@ -706,7 +706,7 @@ function ($tid) {
 
 	form_start('tree.php');
 
-	html_start_box($tree_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(escape_page_action($tree_actions, get_nfilter_request_var('drp_action')), '60%', '', '3', 'center', '');
 
 	if (isset($tree_array) && cacti_sizeof($tree_array)) {
 		if (get_nfilter_request_var('drp_action') == '1') { // delete