Merge pull request #1604 from unraid/feat-logger

logger - ensure params are escaped

emhttp/login.php

@@ -1,6 +1,7 @@
 <?php
 $docroot = $docroot ?? $_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp';
 require_once "$docroot/webGui/include/Helpers.php";
+require_once "$docroot/webGui/include/Wrappers.php";
 
 // add translations
 extract(parse_plugin_cfg('dynamix',true));

emhttp/plugins/dynamix.docker.manager/include/DockerClient.php

@@ -367,7 +367,7 @@ class DockerTemplates {
 			@copy($iconRAM,$icon);
 		}
 		if (!is_file($iconRAM)) {
-			exec("logger -t webGUI -- \"$contName: Could not download icon $imgUrl\"");
+			my_logger("$contName: Could not download icon $imgUrl");
 		}
 
 		return (is_file($iconRAM)) ? str_replace($docroot, '', $iconRAM) : '';

emhttp/plugins/dynamix.plugin.manager/scripts/language

@@ -6,6 +6,9 @@
 // Program updates made by Bergware International (April 2020)
 // Program updates made by Bergware International (June 2022)
 
+$docroot ??= ($_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp');
+require_once "$docroot/webGui/include/Wrappers.php";
+
 $usage = <<<EOF
 Process language files.
 
@@ -148,12 +151,6 @@ function download($url, $name, &$error) {
   }
 }
 
-// Deal with logging message.
-//
-function logger($message) {
-  exec("logger -t 'language-manager' -- \"$message\"");
-}
-
 // Interpret a language file
 // Returns TRUE if success, else FALSE and fills in error string.
 //
@@ -314,7 +311,7 @@ if ($method == 'install') {
   copy($xml_file, $lang_file);
   symlink($lang_file, $link_file);
   write("language: $lang language pack installed\n");
-  logger("$lang language pack installed");
+  my_logger('language-manager',"$lang language pack installed");
   // run hook scripts for post processing
   post_hooks();
   done(0);
@@ -396,7 +393,7 @@ if ($method == 'update') {
   copy($xml_file, $lang_file);
   symlink($lang_file, $link_file);
   write("language: $lang language pack updated\n");
-  logger("$lang language pack updated");
+  my_logger('language-manager',"$lang language pack updated");
   // run hook scripts for post processing
   post_hooks();
   done(0);
@@ -423,7 +420,7 @@ if ($method == 'remove') {
     done(1);
   }
   write("language: $lang language pack removed\n");
-  logger("$lang language pack removed");
+  my_logger('language-manager',"$lang language pack removed");
   // run hook scripts for post processing
   post_hooks();
   done(0);

emhttp/plugins/dynamix.plugin.manager/scripts/plugin

@@ -284,7 +284,7 @@ function filter_url($url) {
 // Deal with logging message.
 //
 function logger($message) {
-  exec("logger -t 'plugin-manager' -- \"$message\"");
+  exec("logger -t 'plugin-manager' -- ".escapeshellarg($message));
 }
 
 // Interpret a plugin file
@@ -691,7 +691,7 @@ if ($method == 'install') {
       $event = "Install error";
       $subject = "plugin: ".basename($plugin_file);
       $description = "Plugin failed to install";
-      exec("$notify -e $event -s $subject -d $description) -i 2");
+      exec("$notify -e ".escapeshellarg($event)." -s ".escapeshellarg($subject)." -d ".escapeshellarg($description)." -i 'warning'");
       // run hook scripts for post processing
       post_hooks($error);
       done(1);

emhttp/plugins/dynamix/include/.login.php

@@ -119,12 +119,12 @@ function verifyTwoFactorToken(string $username, string $token): bool {
         // This should accept 200 or 204 status codes
         if ($httpCode !== 200 && $httpCode !== 204) {
             // Log error to syslog
-            exec("logger -t webGUI -- \"2FA code for {$username} is invalid, blocking access!\"");
+            my_logger("2FA code for {$username} is invalid, blocking access!");
             return false;
         }
 
         // Log success to syslog
-        exec("logger -t webGUI -- \"2FA code for {$username} is valid, allowing login!\"");
+        my_logger("2FA code for {$username} is valid, allowing login!");
 
         // Success
         return true;
@@ -199,7 +199,7 @@ if (!empty($username) && !empty($password)) {
 
         // Check if we're limited
         if ($failCount >= $maxFails) {
-            if ($failCount == $maxFails) exec("logger -t webGUI -- \"Ignoring login attempts for {$username} from {$remote_addr}\"");
+            if ($failCount == $maxFails) my_logger("Ignoring login attempts for {$username} from {$remote_addr}");
             throw new Exception(_('Too many invalid login attempts'));
         }
 
@@ -216,7 +216,7 @@ if (!empty($username) && !empty($password)) {
         $_SESSION['unraid_user'] = $username;
         session_regenerate_id(true);
         session_write_close();
-        exec("logger -t webGUI -- \"Successful login user {$username} from {$remote_addr}\"");
+        my_logger("Successful login user {$username} from {$remote_addr}");
 
         // Redirect the user to the start page
         header("Location: /".$start_page);
@@ -226,7 +226,7 @@ if (!empty($username) && !empty($password)) {
         $error = $exception->getMessage();
 
         // Log error to syslog
-        exec("logger -t webGUI -- \"Unsuccessful login user {$username} from {$remote_addr}\"");
+        my_logger("Unsuccessful login user {$username} from {$remote_addr}");
         appendToFile($failFile, $time."\n");
     }
 }

emhttp/plugins/dynamix/include/.set-password.php

@@ -36,7 +36,7 @@ if (!empty($_POST['password']) && !empty($_POST['confirmPassword'])) {
     }
 
     // Error when attempting to set password
-    exec("logger -t webGUI -- \"{$VALIDATION_MESSAGES['saveError']} [REMOTE_ADDR]: {$REMOTE_ADDR}\"");
+    my_logger("{$VALIDATION_MESSAGES['saveError']} [REMOTE_ADDR]: {$REMOTE_ADDR}");
     return $POST_ERROR = $VALIDATION_MESSAGES['saveError'];
 }
 

emhttp/plugins/dynamix/include/PageBuilder.php

@@ -12,6 +12,7 @@
 ?>
 <?
 require_once "$docroot/webGui/include/MarkdownExtra.inc.php";
+require_once "$docroot/webGui/include/Wrappers.php";
 
 function get_ini_key($key,$default) {
   $x = strpos($key, '[');
@@ -32,7 +33,7 @@ function build_pages($pattern) {
   foreach (glob($pattern,GLOB_NOSORT) as $entry) {
     [$header, $content] = my_explode("\n---\n",file_get_contents($entry));
     $page = @parse_ini_string($header);
-    if (!$page) {exec("logger -t webGUI -- \"Invalid .page format: $entry\""); continue;}
+    if (!$page) {my_logger("Invalid .page format: $entry"); continue;}
     $page['file'] = $entry;
     $page['root'] = dirname($entry);
     $page['name'] = basename($entry, '.page');

emhttp/plugins/dynamix/include/SysDriversInit.php

@@ -3,10 +3,11 @@
 function SysDriverslog($m, $type='NOTICE') {
   if ($type == 'DEBUG') return;
   $m = str_replace(["\n",'"'],[" ","'"],print_r($m,true));
-  exec("logger -t sysDrivers -- \"$m\"");
+  my_logger('sysDrivers', "$m");
 }
 
 $docroot ??= ($_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp');
+require_once "$docroot/webGui/include/Wrappers.php";
 require_once "$docroot/webGui/include/Helpers.php";
 require_once "$docroot/webGui/include/SysDriversHelpers.php";
 require_once "$docroot/plugins/dynamix.plugin.manager/include/PluginHelpers.php";

emhttp/plugins/dynamix/include/Wrappers.php

@@ -145,4 +145,8 @@ function my_date($fmt, $time) {
   $legacy = ['%c' => 'D j M Y h:i A','%A' => 'l','%Y' => 'Y','%B' => 'F','%e' => 'j','%d' => 'd','%m' => 'm','%I' => 'h','%H' => 'H','%M' => 'i','%S' => 's','%p' => 'a','%R' => 'H:i', '%F' => 'Y-m-d', '%T' => 'H:i:s'];
   return date(strtr($fmt,$legacy), $time);
 }
+// ensure params passed to logger are properly escaped
+function my_logger($message, $tag="webgui") {
+  exec('logger -t '.escapeshellarg($tag).' -- '.escapeshellarg($message));
+}
 ?>

emhttp/plugins/dynamix/include/local_prepend.php

@@ -15,7 +15,7 @@
 // auto_prepend_file="/usr/local/emhttp/webGui/include/local_prepend.php"
 
 function csrf_terminate($reason) {
-  exec("logger -t webGUI -- \"error: {$_SERVER['REQUEST_URI']} - {$reason} csrf_token\"");
+  exec('logger -t webGUI -- '.escapeshellarg("error: {$_SERVER['REQUEST_URI']} - {$reason} csrf_token"));
   exit;
 }
 

emhttp/plugins/dynamix/include/publish.php

@@ -11,13 +11,16 @@
  */
 ?>
 <?
+$docroot ??= ($_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp');
+require_once "$docroot/webGui/include/Wrappers.php";
+
 function curl_socket($socket, $url, $message='') {
   $com = curl_init($url);
   curl_setopt_array($com, [CURLOPT_UNIX_SOCKET_PATH => $socket, CURLOPT_RETURNTRANSFER => 1]);
   if ($message) curl_setopt_array($com, [CURLOPT_POSTFIELDS => $message, CURLOPT_POST => 1]);
   $reply = curl_exec($com);
   curl_close($com);
-  if ($reply===false) exec("logger -t curl_socket -- 'curl to $url failed'");
+  if ($reply===false) my_logger("curl to $url failed", 'curl_socket');
   return $reply;
 }
 
@@ -32,7 +35,7 @@ function publish($endpoint, $message, $len=1) {
   ]);
   $reply = curl_exec($com);
   curl_close($com);
-  if ($reply===false) exec("logger -t publish -- 'curl to $endpoint failed'");
+  if ($reply===false) my_logger("curl to $endpoint failed", 'publish');
   return $reply;
 }
 ?>

emhttp/plugins/dynamix/scripts/netconfig

@@ -12,6 +12,9 @@
  */
 ?>
 <?
+$docroot ??= ($_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp');
+require_once "$docroot/webGui/include/Wrappers.php";
+
 $set = $ifname = $argv[1];
 $run = $set != 'none';
 $ini = parse_ini_file('/var/local/emhttp/network.ini',true); ksort($ini,SORT_NATURAL);
@@ -25,7 +28,7 @@ function update_wireguard($ifname) {
     $vtun = basename($wg,'.conf');
     // interface has changed?
     if (exec("grep -Pom1 ' dev $nic ' $wg")=='') {
-      exec("logger -t netconfig -- \"updated wireguard $vtun configuration\"");
+      my_logger("updated wireguard $vtun configuration", 'netconfig');
       exec("sed -ri 's/ dev (br0|bond0|eth0) / dev $nic /' $wg");
     }
     // restart active wireguard tunnels