[ZBX-10318] adding and removing columns and rows in screens uses GET requests Created: 2016 Jan 28  Updated: 2020 Jul 16  Resolved: 2016 Mar 15

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 3.0.0beta1
Fix Version/s: 3.0.2rc1, 3.2.0alpha1

Type: Defect (Security) Priority: Minor
Reporter: Aleksandrs Saveljevs Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: screens, security, vulnerability
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by ZBX-7241 Possible to create screen larger than... Closed

 Description   

Suppose we are editing a screen and playing with adding and removing columns and rows. The URLs to do these actions will be like these (note the last part):

http://localhost/zabbix/screenedit.php?config=1&screenid=16&add_col=0
http://localhost/zabbix/screenedit.php?config=1&screenid=16&rmv_col=0
http://localhost/zabbix/screenedit.php?config=1&screenid=16&add_row=3
http://localhost/zabbix/screenedit.php?screenid=16&rmv_row=3

These are GET requests, which means that pressing F5 or simply giving someone these links to go to will perform the corresponding action.

 Comments   
Comment by vitalijs.cemeris (Inactive) [ 2016 Feb 05 ]

RESOLVED in development branch svn://svn.zabbix.com/branches/dev/ZBX-10318
r58408

Comment by Alexander Vladishev [ 2016 Mar 09 ]

(1) new functions addScreenCellGroup() and removeScreenCellGroup():

  • debug functions xdebug_start_trace() and xdebug_stop_trace() must be removed from code
  • getRequest() call cannot be used in auxiliary functions
  • too many API requests can produce these functions (performance issue)

sasha RESOLVED in r58932, 58934

iivs CLOSED.

Comment by Alexander Vladishev [ 2016 Mar 09 ]

(2) translation strings changed

Strings added:

  • must be between "%1$s" and "%2$s"

Strings deleted:

  • Impossible to remove last row and column.
  • Screen should contain at least one row and column.

iivs CLOSED.

Comment by Alexander Vladishev [ 2016 Mar 10 ]

(3) a new method CLink->setUrl() must be removed

sasha RESOLVED in r58933

iivs CLOSED.

Comment by Alexander Vladishev [ 2016 Mar 10 ]

(4) Validation of "vsize" and "hsize" parameters must be moved into API

Related issue: ZBX-10517

sasha RESOLVED in r58953.

iivs CLOSED.

Comment by Alexander Vladishev [ 2016 Mar 11 ]

(5) Cannot insert an empty row/column into the screen

Screen "Zabbix server" cell X - 0 Y - 1 is already taken. [screenedit.php:250 → addScreenRow() → CFrontendApiWrapper->update() → CApiWrapper->__call() → CFrontendApiWrapper->callMethod() → CApiWrapper->callMethod() → CFrontendApiWrapper->callClientMethod() → CLocalApiClient->callMethod() → call_user_func_array() → CScreen->update() → CScreen->updateReal() → CScreen->replaceItems() → CScreenItem->update() → CScreenItem->validateUpdate() → CScreenItem->checkDuplicateResourceInCell() → CApiService::exception() in include/classes/api/services/CScreenItem.php:965]

Related issue: ZBX-10517

sasha RESOLVED in r58976.

iivs CLOSED.

Comment by Ivo Kurzemnieks [ 2016 Mar 14 ]

(6) Fixed minor coding style issues in r58993. Please review.

sasha Thanks. CLOSED

Comment by Ivo Kurzemnieks [ 2016 Mar 14 ]

TESTED,

but don't forget to close (6).

Comment by Alexander Vladishev [ 2016 Mar 15 ]

Fixed in pre-3.0.2rc1 r58996 and pre-3.1.0 (trunk) r58995.

Generated at Fri Apr 19 16:43:56 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.