fix(cli): repair dead PHP-binary dash-prefix guard in push_out_hosts.php (#7148)

* fix(cli): repair dead PHP-binary dash-prefix guard in push_out_hosts.php

The dash-prefix safety check in cli/push_out_hosts.php:55 referenced
$binary, which is never defined in this scope; $php_binary is the
real local set on line 39. Under PHP 8 the strpos(null, ...) call
returns false and the guard is dead, so a path_php_binary value
starting with a dash slips through to the passthru() command line.
The branch also returned 1 from top-level script context where exit(1)
is required to propagate the failure to the caller. Same line fixes
the "en empty" log typo.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

* test(security): refresh baselines after push_out_hosts line shift

The new dash-prefix guard added one line below the empty-binary
check; the passthru() sink in the same file shifted by one and the
sink_inventory pin needs to track it. Mechanical regeneration.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

---------

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

Author: somethingwithproof

cli/push_out_hosts.php

@@ -47,14 +47,15 @@
 	print 'WARNING: Deprecated script push_out_hosts.php. Please use rebuild_poller_cache.php.' . PHP_EOL;
 
 	if (!is_string($php_binary) || trim($php_binary) === '') {
-		cacti_log('ERROR: Rejected en empty PHP binary.', false, 'SYSTEM');
+		cacti_log('ERROR: Rejected an empty PHP binary.', false, 'SYSTEM');
 
 		exit(1);
 	}
 
-	if (strpos(trim($binary), '-') === 0) {
-		cacti_log('ERROR: Rejected PHP binary starting with dash: ' . $binary, false, 'SYSTEM');
-		return 1;
+	if (strpos(trim($php_binary), '-') === 0) {
+		cacti_log('ERROR: Rejected PHP binary starting with dash: ' . $php_binary, false, 'SYSTEM');
+
+		exit(1);
 	}
 
 	$args = array_merge(array($config['base_path'] . '/cli/rebuild_poller_cache.php'), $parms);

tests/security/baselines/architectural_hotspots.baseline.tsv

@@ -7,7 +7,7 @@ cmd_exec	./cli/audit_database.php:989				exec($db_shell .
 cmd_exec	./cli/batchgapfix.php:388			exec($command, $output, $return_var);
 cmd_exec	./cli/float_rrdfiles.php:335				$response = exec($command, $output, $return);
 cmd_exec	./cli/float_rrdfiles.php:443					$response = exec($command, $output, $return);
-cmd_exec	./cli/push_out_hosts.php:66		passthru($command, $exit_code);
+cmd_exec	./cli/push_out_hosts.php:67		passthru($command, $exit_code);
 cmd_exec	./cli/remove_broken_graphs.php:47		$stty = shell_exec('stty size');
 cmd_exec	./cli/splice_rrd.php:237	$response = shell_exec($rrdtool);
 cmd_exec	./cli/splice_rrd.php:269	shell_exec(cacti_escapeshellcmd($rrdtool) . ' dump ' . cacti_escapeshellarg($oldrrd) . ' > ' . cacti_escapeshellarg($oldxmlfile));

tests/security/baselines/sink_inventory.baseline.tsv

@@ -6,7 +6,7 @@ cmd_exec	./cli/audit_database.php:989				exec($db_shell .
 cmd_exec	./cli/batchgapfix.php:388			exec($command, $output, $return_var);
 cmd_exec	./cli/float_rrdfiles.php:335				$response = exec($command, $output, $return);
 cmd_exec	./cli/float_rrdfiles.php:443					$response = exec($command, $output, $return);
-cmd_exec	./cli/push_out_hosts.php:66		passthru($command, $exit_code);
+cmd_exec	./cli/push_out_hosts.php:67		passthru($command, $exit_code);
 cmd_exec	./cli/remove_broken_graphs.php:47		$stty = shell_exec('stty size');
 cmd_exec	./cli/splice_rrd.php:237	$response = shell_exec($rrdtool);
 cmd_exec	./cli/splice_rrd.php:269	shell_exec(cacti_escapeshellcmd($rrdtool) . ' dump ' . cacti_escapeshellarg($oldrrd) . ' > ' . cacti_escapeshellarg($oldxmlfile));