Skip to content
Snippets Groups Projects
Commit d885d229 authored by hahn's avatar hahn
Browse files

task#38892 showing logs with ajax: fix error and hardening

parent 02482221
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
.gitignore
+ 30
29
View file @ d885d229
......@@ -27,3 +27,4 @@ nbproject
/public_html/vendor/medoo/
/config/_inc_projects_config.php
/config/inc_projects_config.php
/.vscode/
\ No newline at end of file
public_html/deployment/classes/actionlog.class.php
+ 33
17
View file @ d885d229
......@@ -136,11 +136,22 @@ class Actionlog {
return $oResult;
}
/**
* helper function to remove chars in a string
* @param string $sVal user value
* @param string $sOKChars good chars to keep
* @return string
*/
private function _filterAllowedChars($sVal, $sOKChars){
return preg_replace('/[^'.$sOKChars. ']/i', '',$sVal);
}
/**
* get log data
* @param array $aFilter with the following keys:
* 'project' - filter by project; will be mixed with where (see next key)
* 'where' - where clausel - part behind "WHERE "
* 'from ' - time greater equal; time as string i.e. "2020-06-24" or "2020-06-24 11:00:00"
* 'to' - max time (see from)
* 'order' - order clausel - part behind "ORDER BY "; default is "id DESC" (order by newest entries)
* 'limit' - limit clausel - part behind "LIMIT "
* @return array
......@@ -151,22 +162,27 @@ class Actionlog {
$sSql = 'SELECT `id`,`time`,`loglevel`,`ip`,`user`,`project`,`action`,`message` from logs ';
$sWhere = false;
if (array_key_exists("where", $aFilter) && $aFilter["where"]) {
$sWhere.=' WHERE (' . $aFilter["where"] . ') ';
}
$aWhere=array();
if (array_key_exists("project", $aFilter) && $aFilter["project"]) {
$sProjectWhere = '`project`="' . $aFilter["project"] . '"';
$sWhere.= $sWhere ? ' AND ' . $sProjectWhere : 'WHERE ' . $sProjectWhere;
$aWhere[]='`project`="' . $this->_filterAllowedChars($aFilter["project"], '[a-z0-9\-\_]') . '"';
}
if (array_key_exists("from", $aFilter) && $aFilter["from"]) {
$aWhere[]='`time`>="' . $this->_filterAllowedChars($aFilter["from"], '[0-9\-\ \:]') . '"';
}
$sSql.=$sWhere;
if (array_key_exists("to", $aFilter) && $aFilter["to"]) {
$aWhere[]='`time`<="' . $this->_filterAllowedChars($aFilter["to"], '[0-9\-\ \:]') . '"';
}
$sSql.=(count($aWhere) ? 'WHERE '. implode(' AND ', $aWhere) : '');
if (array_key_exists("order", $aFilter) && $aFilter["order"]) {
$sSql.=' ORDER BY ' . $aFilter["order"];
$sSql.=' ORDER BY ' . $this->_filterAllowedChars($aFilter["order"], '[a-z\`0-9\,\ ]');
} else {
$sSql.=' ORDER BY id DESC ';
}
if (array_key_exists("limit", $aFilter) && $aFilter["limit"]) {
$sSql.=' LIMIT ' . $aFilter["limit"];
$sSql.=' LIMIT ' . $this->_filterAllowedChars($aFilter["limit"], '[0-9\,\ ]');
}
foreach ($this->_makeQuery($sSql) as $row) {
......@@ -250,7 +266,7 @@ class Actionlog {
$aForms["filter"]["form"]['selectproject']['options'][$row[0]]=array('label'=>$row[0]);
}
}
$aForms["filter"]["form"]['selectWheretime'] = array(
$aForms["filter"]["form"]['selectfrom'] = array(
'type' => 'select',
'name' => 'selectWheretime',
'label' => '<i class="glyphicon glyphicon-calendar"></i> '.t("class-actionlog-time"),
......
public_html/deployment/classes/sws.class.php
+ 8
2
View file @ d885d229
......@@ -174,10 +174,16 @@ class sws {
*/
private function _verifyParamValue($sParamValue){
$sOKChars='a-z0-9\"\{\}\[\]\.\,\ \:\-\+';
/*
$sOKChars='a-z0-9\"\`\'\{\}\[\]\.\,\ \:\-\+'
.'\<\>\='
;
*/
if(isset($this->_aParams[$sParamValue])){
$sVal=urldecode($this->_aParams[$sParamValue]);
if(preg_match('/[^'.$sOKChars. ']/i', $sVal)){
$this->_quit("ERROR: parameter $sParamValue=.. contains unsupported character(s): [". preg_replace('/['.$sOKChars. ']/i', '',$sVal)."]");
$sBadchars=preg_replace('/['.$sOKChars. ']/i', '',$sVal);
if($sBadchars){
$this->_quit("ERROR: parameter $sParamValue=.. contains unsupported character(s): [". $sBadchars."]");
}
}
......
public_html/deployment/js/functions.js
+ 53
2
View file @ d885d229
......@@ -60,8 +60,8 @@ $(document).ready(function() {
/**
* get filtered action log table
* @returns {undefined}
*/
function updateActionlog(){
function __REMOVEME___updateActionlog(){
var sUrlBase="/webservice/?class=Actionlog&action=getLogs&type=json&args=";
var aArgs={};
......@@ -124,7 +124,58 @@ function updateActionlog(){
});
}
*/
/**
* get filtered action log table
* @returns {undefined}
*/
function updateActionlog(){
var sUrlBase="/webservice/?class=Actionlog&action=getLogs&type=json&args=";
// columns in output table
var aTableitems=["id", "time", "loglevel", "ip", "user", "project", "action", "message"];
var aArgs={
'project': $('#selectproject').val(),
'from': $('#selectfrom').val(),
'to': $('#selectto').val(),
'limit': $('#selectlimit').val(),
}
// --- get data
var sUrl=sUrlBase+'['+JSON.stringify(aArgs)+']';
$.post( sUrl, function( aData ) {
var sHtml='';
// --- generate output
if (aData.length && aData[0]["id"]){
for (i=0; i<aData.length; i++){
sHtml+='<tr class="tractionlogs loglevel-'+aData[i]["loglevel"]+' '+aData[i]["project"]+'">';
for (j=0; j<aTableitems.length; j++){
sHtml+='<td>'+aData[i][aTableitems[j]]+'</td>';
}
sHtml+='</tr>';
}
}
drawTimeline(aData);
if (!sHtml){
sHtml=sMsgNolog; // variable is set in actionlog.class.php
} else {
sHead='';
for (j=0; j<aTableitems.length; j++){
sHead+='<th>'+aTableitems[j]+'</th>';
}
sHead='<thead><tr>'+sHead+'</tr></thead>';
sHtml='<table class="table table-condensed">'+sHead+'<tbody>'+sHtml+'</tbody></table>';
}
$('#tableLogactions').html(sHtml);
filterLogTable();
});
}
/**
* render timeline with Visjs
*
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment