backport: hardening and bugfixes for main stable#283
backport: hardening and bugfixes for main stable#283somethingwithproof wants to merge 2 commits intoCacti:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Consolidated backport that hardens the Syslog plugin and rolls in multiple bugfixes, with additional tooling/docs updates to support newer Cacti/PHP environments.
Changes:
- Added/updated localization assets and helper scripts for gettext generation.
- Refactored/consolidated frontend JS into
js/functions.js, and expanded DB wrapper utilities. - Added CI workflow + test data population script, plus documentation/versioning updates.
Reviewed changes
Copilot reviewed 38 out of 95 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
locales/po/es-ES.po |
Adds Spanish (es_ES) translation catalog for Syslog UI strings |
locales/po/ar-SA.po |
Adds Arabic (ar_SA) translation catalog for Syslog UI strings |
locales/index.php |
Adds header block + normalizes redirect header quoting |
locales/build_gettext.sh |
Adds gettext build/merge/compile helper script |
locales/LC_MESSAGES/index.php |
Adds header block + normalizes redirect header quoting |
js/functions.js |
Centralizes Syslog plugin JS previously inlined in PHP |
index.php |
Adds header block; normalizes redirect |
images/index.php |
Adds header block + normalizes redirect header quoting |
database.php |
Expands/modernizes syslog DB wrapper API incl. prepared helpers and utility methods |
contrib/snmptt-syslog-connector.py |
Adds a contrib SNMPTT → syslog_incoming connector script |
config_local.php.dist |
Adds local syslog config template (incl. ssl/retries/install options) |
config.php.dist |
Extends DB config options (retries/SSL) + updates incoming field mappings |
README.md |
Major doc refresh: features, install notes, rsyslog examples, DB notes |
LICENSE |
Updates GPL text formatting/address (but currently contains conflict markers) |
INFO |
Updates plugin metadata (version/compat/capabilities) |
CHANGELOG.md |
Adds a standalone changelog capturing issues/features across versions |
.mdlrc |
Adds markdownlint configuration |
.mdl_style.rb |
Adds markdownlint style customizations |
.github/workflows/populate_syslog_incoming.sh |
Adds script to insert test syslog/rules data for CI |
.github/workflows/plugin-ci-workflow.yml |
Adds GitHub Actions workflow to run integration checks against Cacti + Syslog |
.github/copilot-instructions.md |
Adds repository-specific Copilot guidance for Syslog plugin development |
.github/agents/triage_agent.md.agent.md |
Adds agent definition doc for triage workflow |
.github/agents/triage_agent.agent.md |
Adds triage agent definition (duplicate/alternate) |
.github/agents/php-developer.agent.md |
Adds PHP developer agent definition |
.github/agents/mysql-mariadb.agent.md |
Adds MySQL/MariaDB DBA agent definition |
.github/agents/code-quality.agent.md |
Adds code-quality agent definition |
.github/ISSUE_TEMPLATE/feature_request.md |
Adds feature request issue template |
.github/ISSUE_TEMPLATE/bug_report.md |
Adds bug report issue template |
.github/ISSUE_TEMPLATE/agents/php-developer.agent.md |
Adds agent template copy for PHP developer |
.github/ISSUE_TEMPLATE/agents/mysql-mariadb.agent.md |
Adds agent template copy for MySQL/MariaDB |
.github/ISSUE_TEMPLATE/agents/code-quality.agent.md |
Adds agent template copy for code quality |
You can also share your feedback on Copilot code review. Take the survey.
| <<<<<<< Updated upstream | ||
| ======= | ||
| END OF TERMS AND CONDITIONS | ||
|
|
||
| >>>>>>> Stashed changes |
There was a problem hiding this comment.
The LICENSE file contains unresolved git merge conflict markers, which makes the license text invalid/distributable. Resolve the conflict and remove the markers so the file contains only the intended GPLv2 license text.
| * @param $syslog_cnn - the connection object to connect to | ||
| * | ||
| * @return the id of the last auto incriment row that was created | ||
| */ | ||
| function syslog_db_fetch_insert_id() { | ||
| global $syslog_cnn; | ||
| return db_fetch_insert_id($syslog_cnn); |
There was a problem hiding this comment.
This changes syslog_db_fetch_insert_id from taking a $syslog_cnn argument to taking none. In PHP 8+, existing call sites that still pass an argument will throw ArgumentCountError. To preserve backward compatibility, accept an optional parameter (or variadic) and fall back to global $syslog_cnn when not provided.
| * @param $syslog_cnn - the connection object to connect to | |
| * | |
| * @return the id of the last auto incriment row that was created | |
| */ | |
| function syslog_db_fetch_insert_id() { | |
| global $syslog_cnn; | |
| return db_fetch_insert_id($syslog_cnn); | |
| * @param object|null $syslog_cnn - (optional) the connection object to use; falls back to global $syslog_cnn when null | |
| * | |
| * @return the id of the last auto incriment row that was created | |
| */ | |
| function syslog_db_fetch_insert_id($syslog_cnn = null) { | |
| if ($syslog_cnn === null) { | |
| global $syslog_cnn; | |
| } | |
| return db_fetch_insert_id($syslog_cnn); |
| * Clear filter for statistics view | ||
| */ | ||
| function clearFilterStats() { | ||
| strURL = 'syslog.php?tab=stats&clear=1&header=false'; |
There was a problem hiding this comment.
strURL is assigned without var/let/const, which creates/overwrites a global and can cause hard-to-trace collisions between functions. Declare it locally (e.g., var strURL = ...) to match the rest of the file.
| strURL = 'syslog.php?tab=stats&clear=1&header=false'; | |
| var strURL = 'syslog.php?tab=stats&clear=1&header=false'; |
| $(this).multiselect('widget').find(':checkbox:first').each(function() { | ||
| $(this).prop('checked', true); | ||
| }); | ||
| $('#test').trigger('keyup'); |
There was a problem hiding this comment.
$('#test').trigger('keyup') appears to reference an element id that is not created anywhere in this module (the search input is created as id=\"term\"). As written, this will be a no-op and likely breaks the intended refresh/search behavior. Trigger the event on the actual input that drives host filtering (e.g., the created #term element) or remove this line if no longer needed.
| $('#test').trigger('keyup'); | |
| $('#term').trigger('keyup'); |
| if (checked > 0) { | ||
| $(this).multiselect('widget').find(':checkbox:first').each(function() { | ||
| $(this).click(); | ||
| $(this).prop('disable', true); |
There was a problem hiding this comment.
.prop('disable', true) is not a valid way to disable inputs; the correct property is disabled. As-is, this will not actually prevent interaction and can leave the multiselect in an inconsistent state.
| $(this).prop('disable', true); | |
| $(this).prop('disabled', true); |
| to | ||
|
|
||
| If you are upgrading to 2.0 from a prior install, you must first uninstall syslog and insure both the syslog, syslog_removal, and syslog_incoming tables are removed, and recreated at install time. | ||
| ``console |
There was a problem hiding this comment.
This fenced code block is malformed ( ``console instead of ```console), which breaks Markdown rendering for this section. Update it to a proper fenced block so the example displays correctly.
| ``console | |
| ```console |
|
|
||
| header("Location:../index.php"); | ||
| header('Location:../index.php'); | ||
|
|
There was a problem hiding this comment.
After sending a Location header, it’s best practice to terminate the script (exit;) to prevent any further output/side effects (especially if additional code is ever added later). Consider adding exit; after the redirect.
| exit; |
|
|
||
| #: functions.php:72 | ||
| msgid "Save Failed. Remote Data Collectors in Sync Mode are not allowed to Save Rules. Save from the Main Cacti Server instead." | ||
| msgstr "Error al guardar. Los recopiladores de datos remotos en modo de sincronización no pueden guardar reglas. En su lugar, guarde desde el servidor principal de Cactus." |
There was a problem hiding this comment.
Correct the product name in the Spanish translation from 'Cactus' to 'Cacti' to match the project name.
| msgstr "Error al guardar. Los recopiladores de datos remotos en modo de sincronización no pueden guardar reglas. En su lugar, guarde desde el servidor principal de Cactus." | |
| msgstr "Error al guardar. Los recopiladores de datos remotos en modo de sincronización no pueden guardar reglas. En su lugar, guarde desde el servidor principal de Cacti." |
|
|
||
| #: syslog.php:1633 syslog.php:1699 | ||
| msgid "Debug" | ||
| msgstr "Depuraración" |
There was a problem hiding this comment.
Correct Spanish typo: 'Depuraración' → 'Depuración'.
| msgstr "Depuraración" | |
| msgstr "Depuración" |
| [info] | ||
| name = syslog | ||
| version = 2.1 | ||
| version = 4.2 |
There was a problem hiding this comment.
PR description says this is a backport of security/bugfix PRs, but the changes include a version bump to 4.2 (and the added changelog includes multiple new features). If this PR is intended to be a pure stable backport, consider separating version/feature additions into a different PR or updating the PR description to reflect the scope.
somethingwithproof
force-pushed
the
backport/main-hardening-v2
branch
2 times, most recently
from
2b28283 to
2b8d746
Compare
somethingwithproof
force-pushed
the
backport/main-hardening-v2
branch
from
2b8d746 to
a482d04
Compare
Consolidated backport of security and bugfix PRs.