Cacti (home)ForumsDocumentation

Differences

This shows you the differences between two versions of the page.

faq [2018/01/15 16:10]
cigamit [Windows Specific Debugging]
faq [2018/01/15 16:18] (current)
cigamit [How can I ensure that my plugin has minimal chances of being exploited]
Line 205: Line 205:
 Cacti 1.x will disable a plugin when it encounters a fatal error that might compromise the Cacti system.  These errors include: syntax errors, fatal errors, etc.  If Cacti 1.x finds one of these warnings, it will always log a message to the Cacti log so that you can pinpoint the problem.  It also generates a backtrace that you can follow to make the process easier.  This was done intentionally, to make Cacti more fault tolerant. Cacti 1.x will disable a plugin when it encounters a fatal error that might compromise the Cacti system.  These errors include: syntax errors, fatal errors, etc.  If Cacti 1.x finds one of these warnings, it will always log a message to the Cacti log so that you can pinpoint the problem.  It also generates a backtrace that you can follow to make the process easier.  This was done intentionally, to make Cacti more fault tolerant.
  
-==== How can I ensure that my plugin has minimal changes of being exploited ====+==== How can I ensure that my plugin has minimal chances of being exploited ====
  
-Cacti 1.x provides numerous validation functions and display functions to protect your plugin from possible exploitation.  We also have a 'Developer Debug' mode to inform you when you are not properly sanitizing your variables.  You should never use raw request variables.  Examples include $_REQUEST$_GET, $_POST in your plugins These variables should always be validated using one of the following functions:+Cacti 1.x provides numerous validation functions and display functions to protect your plugin from possible exploitation.  We also have a **Developer Debug** checkbox under **Configuration > Settings > General** to inform you when you are not properly sanitizing your variables.  When enabled, any time you consume a request variable without first sanitizing ita message will appear in the Cacti log.
  
-To sanitize a single variable for display or database utilization:+Next, you should never use raw request variables in your plugins.  Examples include $_REQUEST, $_GET, and $_POST.  These variables should always be validated using one of the following functions: 
 + 
 +To sanitize a single variable for display, if/then/else, case statements, use in database functions, or any other code use:
  
 <code> <code>
 get_filter_request_var($variable, $filter, $options);  // Default with no option is to validate INTEGER get_filter_request_var($variable, $filter, $options);  // Default with no option is to validate INTEGER
-get_request_var();                                     // Retrive a variable.  Warning issued if not previously checked +get_request_var($variable);                            // Retrive a variable.  Warning issued if not previously checked 
-get_nfilter_request_var()                              // Get a request var, but don't issue a warning if it has not already been validated +get_nfilter_request_var($varialbel                   // Get a request var, but don't issue a warning if it has not already been validated 
-isset_request_var();                                   // Check if a request var is set +isset_request_var($variable);                          // Check if a request var is set 
-isempty_request_var();                                 // Check to see if the request var is set but empty +isempty_request_var($variable);                        // Check to see if the request var is set but empty 
-set_request_var()                                      // Set a request var to a value+set_request_var($variable                            // Set a request var to a value
 </code> </code>
  
Line 241: Line 243:
  
 As long as your stick by these rules, your code should be safe from vulnerabilities. As long as your stick by these rules, your code should be safe from vulnerabilities.
 +
 +==== I need to debug a problem, but when I put Cacti into debug mode, I can not see the trees from the forest ====
 +
 +Cacti 1.x supports individual file, plugins, and device based debugging.  Look for the settings in **Configuration > Settings > General**.  You can place any number of files into debug mode and only get debug messages when those files are being called either from the Website or CLI.  Spine also supports this setting.
 +
  
 ===== Windows Specific Debugging ===== ===== Windows Specific Debugging =====





Personal Tools