### Key Information #### Change Overview - **9 files modified**, with a total of 125 lines added and 46 lines removed. - **Security Patch**: Security update for Cacti 1.2.29 version, addressing multiple security vulnerabilities. #### Major Security Issues 1. **GISA-pv2c-g7pp-vxwg**: Local File Inclusion (LFI) vulnerability caused by `Poller Standard Error Log Path`. 2. **GISA-f9c7-7rc3-574c**: SQL injection vulnerability when using tree rules and automation API. 3. **GISA-vj3F2-w4wj**: SQL injection vulnerability when viewing host templates. 4. **GISA-fh3x-9rr-gqgg**: SQL injection vulnerability when requesting automated devices. 5. **GISA-fxrq-fr7h-9rqg**: Remote Code Execution (RCE) vulnerability triggered by multi-line SNMP responses. #### Specific Code Changes - **automation_graph_rules.php**: - Added SQL injection detection for `host` and `host_template` database field values to prevent unauthorized operations. - **automation_tree_rules.php**: - Similar to the above file, enhanced SQL injection detection to ensure data security. - **lib/functions.php**: - Modified the `cacti_escapeshellarg` function to properly handle special characters in strings, preventing command injection. - **lib/html_validate.php and lib/snmp.php**: - Primary code changes focused on input data validation and security checks to prevent SQL injection and other potential vulnerabilities. #### Change Comment This commit primarily aims to fix multiple security issues in Cacti version 1.2.29 caused by `SQL injection` and `RCE`. Specific vulnerabilities are reported with corresponding IDs for different files and functional modules. Code logic has been modified to strengthen input data validation and processing, ensuring system security and stability.