My cacti details are:
Cacti Version 0.8.7e
Cacti OS unix
SNMP Version NET-SNMP version: 5.3.2.2
RRDTool Version RRDTool 1.2.x
Now in the debug for my graph it show's the RRD command as:
However they are not appearing on the graphs. If I replace the first - in the command string with a filename, such as foo.png, and execute the debug command string in a shell, then foo.png is created with dollar signs in the labels as expected./usr/bin/rrdtool graph - \
--imgformat=PNG \
--start=-86400 \
--end=-300 \
--title="Usage - Total Cost" \
--base=1000 \
--height=120 \
--width=500 \
--alt-autoscale-max \
--lower-limit=0 \
--vertical-label="Cost in $" \
--slope-mode \
--font TITLE:8: \
--font AXIS:8: \
--font LEGEND:8: \
--font UNIT:8: \
DEF:a="/var/www/cacti/rra/snmp_oid_128.rrd":snmp_oid:AVERAGE \
AREA:a#001878FF:"Cost" \
GPRINT:a:LAST:"Current\:$%9.2lf" \
GPRINT:a:AVERAGE:"Minimum\:$%9.2lf" \
GPRINT:a:MAX:"Maximum\:$%9.2lf\n"
After some digging, I identified the problem being the ereg_replace call made in the lib/rrd.php in the escape_command() function.
Code: Select all
function escape_command($command) {
return ereg_replace("(\\\$|`)", "", $command);
}I gather the function is attempting to stop someone injecting shell/php variables into the command string, and/or using backticks to have the shell execute an arbitrary command and insert it's outptut into the command string. However the regexp used is a little brutish .
I'd like to suggest the following replacement:
Code: Select all
function escape_command($command) {
return preg_replace((\\\$(?=\w+|\*|\@|\#|\?|\-|\\\$|\!|\_|[0-9]|\(.*\))|`(?=.*(?=`)))","$2", $command) ;
}e.g. $foo, $$, $@, $ENV, $PS1 will become foo $ @ ENV PS1
but '$ ' will be ignored, as will '($)' as $) isn't a shell variable. Also `/usr/bin/which` will have the backticks removed, but single ones are ignored.
This would allow for labels such as 'Cost in $' or gprints to show currency values like 'AUD $%9.2lf'
Any thoughts?
