Hi Salvatore, Paul, I had a look at this issue in jessie, stretch and buster. I concluded that jessie and stretch are not affected. I have reproduced the issue in buster.
# Quick breakdown: Graphs are retrieved using rrdtool_function_graph() from lib/rrd.php, this is true for jessie onwards. rrdtool_function_graph() has a check for permissions, which is in fact very similar to the ones introduced in 7a6a17252 and c7cf4a26e. Before cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326[0] this check in rrdtool_function_graph() was always executed. After this commit the check is only executed when $user > 0. Note: 0 is the default value for $user: [lib/rrd.php:1179][1] function rrdtool_function_graph($local_graph_id, $rra_id, $graph_data_array, $rrdtool_pipe = '', &$xport_meta = array(), $user = 0) { ... However graph_image.php, graph_json.php and rrdtool_function_xport() call rrdtool_function_graph() without passing $user: [graph_image.php:132][2] $output = rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array); Hence, permissions are never checked after this commit. I don't think this is the intended affect. Now, let's try something: take 1.2.2+ds1-2+deb10u1, the version in buster which is affected and simply revert cf73ae1a9f65b5a27d7f9d10: --- a/lib/rrd.php 2019-10-16 13:24:08.590183640 +0200 +++ b/lib/rrd.php 2019-10-16 13:24:34.302046280 +0200 @@ -1171,11 +1171,11 @@ /* before we do anything; make sure the user has permission to view this graph, if not then get out */ - if ($user > 0) { + //if ($user > 0) { if (!is_graph_allowed($local_graph_id, $user)) { return 'GRAPH ACCESS DENIED'; } - } + //} if (getenv('LANG') == '') { putenv('LANG=' . str_replace('-', '_', CACTI_LOCALE) . '.UTF-8'); Try to reproduce: this is sufficient to "fix" the issue and appears to confirm previous analysis. Any comments? cheers, Hugo [0] https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326 [1] https://github.com/Cacti/cacti/blob/develop/lib/rrd.php#L1179 [2] https://github.com/Cacti/cacti/blob/develop/graph_image.php#L132 -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature