fix: [Security] SQL Injection in cacti endpoint (#7146)

Nguyễn Công Tú · TheWitness · web-flow · commit 31e444d3bab2 · 2026-05-13T15:37:31.000-04:00
Co-authored-by: TheWitness &lt;thewitness@cacti.net&gt;
diff --git a/data_debug.php b/data_debug.php
@@ -109,8 +109,8 @@
 	case 'ajax_hosts':
 		$sql_where = '';
 
-		if (grv('site_id') > 0) {
-			$sql_where = 'site_id = ' . grv('site_id');
+		if (gfrv('site_id') > 0) {
+			$sql_where = 'site_id = ' . gfrv('site_id');
 		}
 
 		get_allowed_ajax_hosts(true, true, $sql_where);
@@ -119,8 +119,8 @@
 	case 'ajax_hosts_noany':
 		$sql_where = '';
 
-		if (grv('site_id') > 0) {
-			$sql_where = 'site_id = ' . grv('site_id');
+		if (gfrv('site_id') > 0) {
+			$sql_where = 'site_id = ' . gfrv('site_id');
 		}
 
 		get_allowed_ajax_hosts(false, true, $sql_where);
diff --git a/data_sources.php b/data_sources.php
@@ -87,8 +87,8 @@
 	case 'ajax_hosts':
 		$sql_where = '';
 
-		if (grv('site_id') > 0) {
-			$sql_where = 'site_id = ' . grv('site_id');
+		if (gfrv('site_id') > 0) {
+			$sql_where = 'site_id = ' . gfrv('site_id');
 		}
 
 		get_allowed_ajax_hosts(true, true, $sql_where);
@@ -97,8 +97,8 @@
 	case 'ajax_hosts_noany':
 		$sql_where = '';
 
-		if (grv('site_id') > 0) {
-			$sql_where = 'site_id = ' . grv('site_id');
+		if (gfrv('site_id') > 0) {
+			$sql_where = 'site_id = ' . gfrv('site_id');
 		}
 
 		get_allowed_ajax_hosts(false, true, $sql_where);
diff --git a/reports.php b/reports.php
@@ -96,12 +96,12 @@
 
 		$sql_where = '';
 
-		if (grv('site_id') > 0) {
-			$sql_where .= ($sql_where != '' ? ' AND ' : '') . 'h.site_id = ' . grv('site_id');
+		if (gfrv('site_id') > 0) {
+			$sql_where .= ($sql_where != '' ? ' AND ' : '') . 'h.site_id = ' . gfrv('site_id');
 		}
 
-		if (grv('host_template_id') > 0) {
-			$sql_where .= ($sql_where != '' ? ' AND ' : '') . 'h.host_template_id = ' . grv('host_template_id');
+		if (gfrv('host_template_id') > 0) {
+			$sql_where .= ($sql_where != '' ? ' AND ' : '') . 'h.host_template_id = ' . gfrv('host_template_id');
 		}
 
 		get_allowed_ajax_hosts(true, true, $sql_where);

Original file line number	Diff line number	Diff line change
`@@ -96,12 +96,12 @@`
`96`	`96`
`97`	`97`	`$sql_where = '';`
`98`	`98`
`99`		`- if (grv('site_id') > 0) {`
`100`		`- $sql_where .= ($sql_where != '' ? ' AND ' : '') . 'h.site_id = ' . grv('site_id');`
	`99`	`+ if (gfrv('site_id') > 0) {`
	`100`	`+ $sql_where .= ($sql_where != '' ? ' AND ' : '') . 'h.site_id = ' . gfrv('site_id');`
`101`	`101`	`}`
`102`	`102`
`103`		`- if (grv('host_template_id') > 0) {`
`104`		`- $sql_where .= ($sql_where != '' ? ' AND ' : '') . 'h.host_template_id = ' . grv('host_template_id');`
	`103`	`+ if (gfrv('host_template_id') > 0) {`
	`104`	`+ $sql_where .= ($sql_where != '' ? ' AND ' : '') . 'h.host_template_id = ' . gfrv('host_template_id');`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`get_allowed_ajax_hosts(true, true, $sql_where);`