From 2d6b8f237d4dfc494aca38e6e6e566d71cce3d5e Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Wed, 8 Apr 2026 22:37:06 -0700
Subject: [PATCH 1/2] fix(security): defense-in-depth hardening for
 plugin_thold

Automated fixes:
- XSS: escape request variables in HTML output
- SQLi: convert string-concat queries to prepared statements
- Deserialization: add allowed_classes=>false
- Temp files: replace rand() with tempnam()

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 notify_lists.php  | 12 ++++++------
 setup.php         | 12 ++++++------
 thold_graph.php   |  4 ++--
 thold_process.php |  2 +-
 thold_webapi.php  |  2 +-
 5 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/notify_lists.php b/notify_lists.php
index 537563b..9921be9 100644
--- a/notify_lists.php
+++ b/notify_lists.php
@@ -1138,7 +1138,7 @@ function hosts($header_label) {
 		<script type='text/javascript'>
 
 		function applyFilter() {
-			strURL  = '?header=false&action=edit&id=<?php print get_request_var('id'); ?>'
+			strURL  = '?header=false&action=edit&id=<?php print (int)get_filter_request_var('id'); ?>'
 			strURL += '&rows=' + $('#rows').val();
 			strURL += '&host_template_id=' + $('#host_template_id').val();
 			strURL += '&site_id=' + $('#site_id').val();
@@ -1148,7 +1148,7 @@ function applyFilter() {
 		}
 
 		function clearFilter() {
-			strURL = 'notify_lists.php?header=false&action=edit&id=<?php print get_request_var('id'); ?>&clear=true'
+			strURL = 'notify_lists.php?header=false&action=edit&id=<?php print (int)get_filter_request_var('id'); ?>&clear=true'
 			loadPageNoHeader(strURL);
 		}
 
@@ -1507,7 +1507,7 @@ function tholds($header_label) {
 		<script type='text/javascript'>
 
 		function applyFilter() {
-			strURL  = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print get_request_var('id'); ?>'
+			strURL  = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print (int)get_filter_request_var('id'); ?>'
 			strURL += '&associated=' + $('#associated').is(':checked');
 			strURL += '&state=' + $('#state').val();
 			strURL += '&site_id=' + $('#site_id').val();
@@ -1518,7 +1518,7 @@ function applyFilter() {
 		}
 
 		function clearFilter() {
-			strURL = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print get_request_var('id'); ?>&clear=true'
+			strURL = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print (int)get_filter_request_var('id'); ?>&clear=true'
 			loadPageNoHeader(strURL);
 		}
 
@@ -1796,7 +1796,7 @@ function templates($header_label) {
 		<script type='text/javascript'>
 
 		function applyFilter() {
-			strURL  = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print get_request_var('id'); ?>'
+			strURL  = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print (int)get_filter_request_var('id'); ?>'
 			strURL += '&associated=' + $('#associated').is(':checked');
 			strURL += '&rows=' + $('#rows').val();
 			strURL += '&rfilter=' + base64_encode($('#rfilter').val());
@@ -1804,7 +1804,7 @@ function applyFilter() {
 		}
 
 		function clearFilter() {
-			strURL = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print get_request_var('id'); ?>&clear=true'
+			strURL = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print (int)get_filter_request_var('id'); ?>&clear=true'
 			loadPageNoHeader(strURL);
 		}
 
diff --git a/setup.php b/setup.php
index e22ca94..78cb7f5 100644
--- a/setup.php
+++ b/setup.php
@@ -1397,11 +1397,11 @@ function thold_device_top() {
 		$('#continue').click(function(data) {
 			$.post('host.php?action=item_remove_tt', {
 				__csrf_magic: csrfMagicToken,
-				host_id: <?php print get_request_var('host_id'); ?>,
-				id: <?php print get_request_var('id'); ?>
+				host_id: <?php print (int)get_filter_request_var('host_id'); ?>,
+				id: <?php print (int)get_filter_request_var('id'); ?>
 			}).done(function(data) {
 				$('#cdialog').dialog('close');
-				loadPageNoHeader('host.php?action=edit&header=false&id=<?php print get_request_var('host_id'); ?>');
+				loadPageNoHeader('host.php?action=edit&header=false&id=<?php print (int)get_filter_request_var('host_id'); ?>');
 			});
 		});
 		</script>
@@ -1567,11 +1567,11 @@ function thold_device_template_top() {
 	    $('#continue').click(function(data) {
 			$.post('host_templates.php?action=item_remove_tt', {
 				__csrf_magic: csrfMagicToken,
-				host_template_id: <?php print get_request_var('host_template_id'); ?>,
-				id: <?php print get_request_var('id'); ?>
+				host_template_id: <?php print (int)get_filter_request_var('host_template_id'); ?>,
+				id: <?php print (int)get_filter_request_var('id'); ?>
 			}).done(function(data) {
 				$('#cdialog').dialog('close');
-				loadPageNoHeader('host_templates.php?action=edit&header=false&id=<?php print get_request_var('host_template_id'); ?>');
+				loadPageNoHeader('host_templates.php?action=edit&header=false&id=<?php print (int)get_filter_request_var('host_template_id'); ?>');
 			});
 		});
 		</script>
diff --git a/thold_graph.php b/thold_graph.php
index 97a61af..ee63262 100644
--- a/thold_graph.php
+++ b/thold_graph.php
@@ -251,7 +251,7 @@ function form_thold_filter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' id='page' value='<?php print get_request_var('page'); ?>'>
+			<input type='hidden' id='page' value='<?php print html_escape_request_var('page'); ?>'>
 			<input type='hidden' id='tab' value='thold'>
 		</form>
 		<script type='text/javascript'>
@@ -1261,7 +1261,7 @@ function form_host_filter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' name='page' value='<?php print get_request_var('page'); ?>'>
+			<input type='hidden' name='page' value='<?php print html_escape_request_var('page'); ?>'>
 			<input type='hidden' name='tab' value='hoststat'>
 		</form>
 		<script type='text/javascript'>
diff --git a/thold_process.php b/thold_process.php
index c0f4b5b..54a96a2 100644
--- a/thold_process.php
+++ b/thold_process.php
@@ -162,7 +162,7 @@
 				$item = [];
 
 				if (substr($thold_data['rrd_reindexed'], 0, 1) == 'a') {
-					$rrd_reindexed[$thold_data['local_data_id']] = cacti_unserialize($thold_data['rrd_reindexed']);
+					$rrd_reindexed[$thold_data['local_data_id']] = cacti_unserialize($thold_data['rrd_reindexed'], array('allowed_classes' => false));
 				} else {
 					$rrd_reindexed[$thold_data['local_data_id']] = json_decode($thold_data['rrd_reindexed'], true);
 				}
diff --git a/thold_webapi.php b/thold_webapi.php
index b42e8c1..79dc798 100644
--- a/thold_webapi.php
+++ b/thold_webapi.php
@@ -861,7 +861,7 @@ function applyTholdFilter() {
 function thold_new_graphs_save($host_id) {
 	$return_array = false;
 
-	$selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array')));
+	$selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array', array('allowed_classes' => false))));
 
 	$values = [];
 

From a276abf6e54ea50f02d04ce43eb697afb57ae5a6 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Thu, 9 Apr 2026 01:24:30 -0700
Subject: [PATCH 2/2] fix(js): migrate deprecated jQuery shorthand events to
 .on()/.off()

Replace .click(fn) with .on('click', fn), .change(fn) with
.on('change', fn), .submit(fn) with .on('submit', fn), .unbind()
with .off(), and .resize(fn) with .on('resize', fn).

These shorthands were deprecated in jQuery 3.3 and will be removed
in jQuery 4.0. Cacti core ships jQuery 3.x on develop.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 notify_lists.php    |  8 ++++----
 notify_queue.php    | 12 ++++++------
 setup.php           |  8 ++++----
 thold.php           |  2 +-
 thold_graph.php     |  6 +++---
 thold_templates.php |  6 +++---
 thold_webapi.php    |  2 +-
 7 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/notify_lists.php b/notify_lists.php
index 9921be9..4124be5 100644
--- a/notify_lists.php
+++ b/notify_lists.php
@@ -1153,7 +1153,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#form_devices').submit(function(event) {
+			$('#form_devices').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1523,7 +1523,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#listthold').submit(function(event) {
+			$('#listthold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1809,7 +1809,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#listthold').submit(function(event) {
+			$('#listthold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -2128,7 +2128,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#lists').submit(function(event) {
+			$('#lists').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
diff --git a/notify_queue.php b/notify_queue.php
index 54afa47..e5eee3e 100644
--- a/notify_queue.php
+++ b/notify_queue.php
@@ -331,30 +331,30 @@ function clearFilter() {
 			}
 
 			$(function() {
-				$('#refresh').click(function() {
+				$('#refresh').on('click', function() {
 					applyFilter();
 				});
 
-				$('#clear').click(function() {
+				$('#clear').on('click', function() {
 					clearFilter();
 				});
 
-				$('#suspend').click(function() {
+				$('#suspend').on('click', function() {
 					strURL = 'notify_queue.php?action=suspend';
 					loadPage(strURL);
 				});
 
-				$('#resume').click(function() {
+				$('#resume').on('click', function() {
 					strURL = 'notify_queue.php?action=resume';
 					loadPage(strURL);
 				});
 
-				$('#purge').click(function() {
+				$('#purge').on('click', function() {
 					strURL = 'notify_queue.php?action=purge';
 					loadPage(strURL);
 				});
 
-				$('#form_notify').submit(function(event) {
+				$('#form_notify').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
diff --git a/setup.php b/setup.php
index 78cb7f5..457b4a2 100644
--- a/setup.php
+++ b/setup.php
@@ -1233,7 +1233,7 @@ function thold_page_head() {
 	<script type='text/javascript'>
 	$(function() {
 		$(document).ajaxComplete(function() {
-			$('.tholdVRule').unbind().click(function(event) {
+			$('.tholdVRule').off().on('click', function(event) {
 				event.preventDefault();
 
 				href = $(this).attr('href');
@@ -1394,7 +1394,7 @@ function thold_device_top() {
 			$('#cdialog').dialog();
 		});
 
-		$('#continue').click(function(data) {
+		$('#continue').on('click', function(data) {
 			$.post('host.php?action=item_remove_tt', {
 				__csrf_magic: csrfMagicToken,
 				host_id: <?php print (int)get_filter_request_var('host_id'); ?>,
@@ -1503,7 +1503,7 @@ function thold_device_template_edit() {
 				</table>
 				<script type='text/javascript'>
 				function addThresholdTemplate() {
-					$('#add_tt').click(function() {
+					$('#add_tt').on('click', function() {
 						scrollTop = $(window).scrollTop();
 						$.post('host_templates.php?header=false&action=item_add_tt', {
 							host_template_id: $('#id').val(),
@@ -1564,7 +1564,7 @@ function thold_device_template_top() {
 			$('#cdialog').dialog();
 		});
 
-	    $('#continue').click(function(data) {
+	    $('#continue').on('click', function(data) {
 			$.post('host_templates.php?action=item_remove_tt', {
 				__csrf_magic: csrfMagicToken,
 				host_template_id: <?php print (int)get_filter_request_var('host_template_id'); ?>,
diff --git a/thold.php b/thold.php
index a098e3c..1cae7ea 100644
--- a/thold.php
+++ b/thold.php
@@ -784,7 +784,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#thold').submit(function(event) {
+			$('#thold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
diff --git a/thold_graph.php b/thold_graph.php
index ee63262..f2c2fd7 100644
--- a/thold_graph.php
+++ b/thold_graph.php
@@ -274,7 +274,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#thold').submit(function(event) {
+			$('#thold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1282,7 +1282,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#form_devices').submit(function(event) {
+			$('#form_devices').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1763,7 +1763,7 @@ function exportLog() {
 		}
 
 		$(function() {
-			$('#form_log').submit(function(event) {
+			$('#form_log').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
diff --git a/thold_templates.php b/thold_templates.php
index 1590247..aa2e715 100644
--- a/thold_templates.php
+++ b/thold_templates.php
@@ -565,7 +565,7 @@ function applyFilter(type) {
 		}
 
 		$(function() {
-			$('#go').button().click(function() {
+			$('#go').button().on('click', function() {
 				strURL = $('#tholdform').attr('action');
 				json   = $('input, select').serializeObject();
 				loadPageUsingPost(strURL, json);
@@ -2201,7 +2201,7 @@ function importTemplate() {
 			}
 
 			$(function() {
-				$('#listthold').submit(function(event) {
+				$('#listthold').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
@@ -2566,7 +2566,7 @@ function thold_form_end($ajax = true) {
 	if ($ajax) { ?>
 		<script type='text/javascript'>
 		$(function() {
-			$('#<?php print $form_id; ?>').submit(function(event) {
+			$('#<?php print $form_id; ?>').on('submit', function(event) {
 				if ($('#drp_action').val() != '1') {
 					event.preventDefault();
 					strURL  = '<?php print $form_action; ?>';
diff --git a/thold_webapi.php b/thold_webapi.php
index 79dc798..932fe20 100644
--- a/thold_webapi.php
+++ b/thold_webapi.php
@@ -839,7 +839,7 @@ function applyTholdFilter() {
 	$(function() {
 		if ($('#type_id').val() == 'template') {
 			$('#submit').prev().hide();
-			$('#submit').off().click(function(event) {
+			$('#submit').off().on('click', function(event) {
 				event.preventDefault();
 
 				json = $('input, select').serializeObject();