File zabbix-ZBX-20680.patch of Package zabbix.25188
From 763ff68f0e5ddd1c84770059f2a634fd4577fcb5 Mon Sep 17 00:00:00 2001
From: Andrejs Verza <andrejs.verza@zabbix.com>
Date: Tue, 22 Feb 2022 11:17:22 +0200
Subject: [PATCH] ..F....... [DEV-2077] fixed reflected XSS issues
Merge in ZBX/zabbix from feature/DEV-2077-5.4 to release/5.4
* commit '5986cdf2572acaaaac1fc113d6407d5f0cd00c35':
..F....... [DEV-2077] fixed service actions #3
..F....... [DEV-2077] fixed service actions #2
..F....... [DEV-2077] reverted unnecessary changes
..F....... [DEV-2077] reverted tests
..F....... [DEV-2077] fixed service actions
..F....... [DEV-2077] fixed reflected XSS issue in service configuration form
..F....... [DEV-2077] fixed reflected XSS issues in uncheckTableRows function
..F....... [DEV-2077] fixed reflected XSS issues in graph configuration
..F....... [DEV-2077] fixed reflected XSS issues in action configuration
(cherry picked from commit 05976188fcca518c029e1af9ed03fd331786d77d)
---
frontends/php/actionconf.php | 2 +-
frontends/php/graphs.php | 2 +-
frontends/php/include/func.inc.php | 4 ++--
frontends/php/include/views/configuration.services.edit.php | 5 +++--
4 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/frontends/php/actionconf.php b/frontends/php/actionconf.php
index 9265062858..090190b71e 100644
--- a/frontends/php/actionconf.php
+++ b/frontends/php/actionconf.php
@@ -35,7 +35,7 @@ $fields = [
'name' => [T_ZBX_STR, O_OPT, null, NOT_EMPTY, 'isset({add}) || isset({update})',
_('Name')
],
- 'eventsource' => [T_ZBX_INT, O_OPT, null,
+ 'eventsource' => [T_ZBX_INT, O_OPT, P_SYS,
IN([EVENT_SOURCE_TRIGGERS, EVENT_SOURCE_DISCOVERY,
EVENT_SOURCE_AUTO_REGISTRATION, EVENT_SOURCE_INTERNAL
]),
diff --git a/frontends/php/graphs.php b/frontends/php/graphs.php
index 122e4cef85..70fbd01bf3 100644
--- a/frontends/php/graphs.php
+++ b/frontends/php/graphs.php
@@ -44,7 +44,7 @@ $fields = [
'name' => [T_ZBX_STR, O_OPT, null, NOT_EMPTY, 'isset({add}) || isset({update})', _('Name')],
'width' => [T_ZBX_INT, O_OPT, null, BETWEEN(20, 65535), 'isset({add}) || isset({update})', _('Width')],
'height' => [T_ZBX_INT, O_OPT, null, BETWEEN(20, 65535), 'isset({add}) || isset({update})', _('Height')],
- 'graphtype' => [T_ZBX_INT, O_OPT, null, IN('0,1,2,3'), 'isset({add}) || isset({update})'],
+ 'graphtype' => [T_ZBX_INT, O_OPT, P_SYS, IN('0,1,2,3'), 'isset({add}) || isset({update})'],
'show_3d' => [T_ZBX_INT, O_OPT, P_NZERO, IN('0,1'), null],
'show_legend' => [T_ZBX_INT, O_OPT, P_NZERO, IN('0,1'), null],
'ymin_type' => [T_ZBX_INT, O_OPT, null, IN('0,1,2'), null],
diff --git a/frontends/php/include/func.inc.php b/frontends/php/include/func.inc.php
index 955a90d789..e9a4400104 100644
--- a/frontends/php/include/func.inc.php
+++ b/frontends/php/include/func.inc.php
@@ -2426,10 +2426,10 @@ function uncheckTableRows($parentid = null, $keepids = []) {
// If $keepids will not have same key as value, it will create mess, when new checkbox will be checked.
$keepids = array_combine($keepids, $keepids);
- insert_js('sessionStorage.setItem("'.$key.'", JSON.stringify('.CJs::encodeJson($keepids).'))');
+ insert_js('sessionStorage.setItem('.json_encode($key).', JSON.stringify('.json_encode($keepids).'));');
}
else {
- insert_js('sessionStorage.removeItem("'.$key.'")');
+ insert_js('sessionStorage.removeItem('.json_encode($key).');');
}
}
diff --git a/frontends/php/include/views/configuration.services.edit.php b/frontends/php/include/views/configuration.services.edit.php
index 2b814cc8ed..e74ec72066 100644
--- a/frontends/php/include/views/configuration.services.edit.php
+++ b/frontends/php/include/views/configuration.services.edit.php
@@ -132,9 +132,10 @@ foreach ($this->data['children'] as $child) {
!empty($child['trigger']) ? $child['trigger'] : '',
(new CCol(
(new CButton('remove', _('Remove')))
- ->onClick('javascript: removeDependentChild(\''.$child['serviceid'].'\');')
- ->addClass(ZBX_STYLE_BTN_LINK)
->removeId()
+ ->addClass(ZBX_STYLE_BTN_LINK)
+ ->setAttribute('data-serviceid', $child['serviceid'])
+ ->onClick('removeDependentChild(this.dataset.serviceid);')
))->addClass(ZBX_STYLE_NOWRAP)
]))->setId('children_'.$child['serviceid'])
);
--
2.35.1
