From cabebaa48abf56a43da1759a7e97ca672cdc4b96 Mon Sep 17 00:00:00 2001
From: Morten Stevens <mstevens@fedoraproject.org>
Date: Jul 06 2017 12:22:01 +0000
Subject: Fix Cross-site Scripting (XSS) issue with link.php


---

diff --git a/cacti-fix-xss.patch b/cacti-fix-xss.patch
new file mode 100644
index 0000000..a81efa1
--- /dev/null
+++ b/cacti-fix-xss.patch
@@ -0,0 +1,35 @@
+From 3381cba6a9e36b01ed0ab0acfd41b00487966cb5 Mon Sep 17 00:00:00 2001
+From: cigamit <jimmy@sqmail.org>
+Date: Wed, 5 Jul 2017 06:45:03 -0500
+Subject: [PATCH] Resolving Issue #838
+
+Cross-site Scripting (XSS) issue with link.php
+---
+ docs/CHANGELOG        | 3 +++
+ lib/html_validate.php | 6 +++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/html_validate.php b/lib/html_validate.php
+index 3d5e97fad..d5cb6168f 100644
+--- a/lib/html_validate.php
++++ b/lib/html_validate.php
+@@ -48,16 +48,16 @@ function die_html_input_error($variable = '', $value = '', $message = '') {
+ 	global $config;
+ 
+ 	?>
+-	<table style="width:100%;text-align:center;">
++	<table style='width:100%;text-align:center;'>
+ 		<tr>
+ 			<td>
+-				Validation error<?php print ($variable != '' ? ' for variable ' . $variable . ', with value of "' . $value . '"' . ($message != '' ? ', and error:' . $message : '') : '');?>.  See backtrace below for more details.
++				<?php print __('Validation error for variable %s with a value of %s.  See backtrace below for more details.', $variable, htmlspecialchars($value));?>
+ 			</td>
+ 		</tr>
+ 	</table>
+ 	<?php
+ 
+-	cacti_debug_backtrace('Validation Error' . ($variable != '' ? ", Variable:$variable":"") . ($value != '' ? ", Value:$value":""), true);
++	cacti_debug_backtrace('Validation Error' . ($variable != '' ? ", Variable:$variable":'') . ($value != '' ? ", Value:$value":''), true);
+ 
+ 	bottom_footer();
+ 	exit;
diff --git a/cacti.spec b/cacti.spec
index 1e08249..ad925b8 100644
--- a/cacti.spec
+++ b/cacti.spec
@@ -1,6 +1,6 @@
 Name: cacti
 Version: 1.1.12
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: An rrd based graphing tool
 License: GPLv2+
 URL: http://www.cacti.net/
@@ -9,6 +9,7 @@ Source1: cacti-httpd.conf
 Source2: cacti.logrotate
 Source3: cacti.README.fedora
 Source4: %{name}.cron
+Patch0: cacti-fix-xss.patch
 
 # Requires PHP 5.3+
 Requires: php(language) >= 5.3
@@ -66,6 +67,7 @@ driven.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 # cacti's build is a noop
@@ -163,6 +165,9 @@ restorecon -Rv '/var/log/cacti' &> /dev/null || :
 %attr(-,root,root) %{_localstatedir}/lib/%{name}/lib
 
 %changelog
+* Thu Jul 06 2017 Morten Stevens <mstevens@fedoraproject.org> - 1.1.12-2
+- Fix Cross-site Scripting (XSS) issue with link.php
+
 * Wed Jul 05 2017 Morten Stevens <mstevens@fedoraproject.org> - 1.1.12-1
 - Update to 1.1.12