secured way to display rrd charts

web/list/rrd/image.php

@@ -0,0 +1,13 @@
+<?php
+
+session_start();
+if ($_SESSION['user'] != 'admin') exit;
+$real_path = realpath($_SERVER["DOCUMENT_ROOT"].$_SERVER['QUERY_STRING']);
+if (empty($real_path)) exit;
+$dir_name = dirname($real_path);
+$dir_name = dirname($dir_name);
+if ($dir_name != $_SERVER["DOCUMENT_ROOT"].'/rrd') exit;
+header("X-Accel-Redirect: ".$_SERVER['QUERY_STRING']);
+header("Content-Type: image/png");
+
+?>

web/templates/admin/list_rrd.html

@@ -38,7 +38,7 @@
                         </table>
                     </td>
                     <td class="data-dotted">
-                        <a href="/rrd/<?php echo $data[$key]['TYPE']."/".$period."-".$data[$key]['RRD'].".png" ?>" target="_blank" class="data-controls">
+                        <a href="/list/rrd/image.php?/rrd/<?php echo $data[$key]['TYPE']."/".$period."-".$data[$key]['RRD'].".png"?>" target="_blank" class="data-controls">
                             <span>
                                 <img src="/images/download.png" width="8px" height="8px">
                                 <?php print __('download');?> 
@@ -51,7 +51,7 @@
                                     <table>
                                         </tr>
                                             <td style="background: #7a766d;" width="630px" height="250px">
-                                                <img style="padding: 0 0 0 36px;" src="/rrd/<?php echo $data[$key]['TYPE']."/".$period."-".$data[$key]['RRD'].".png" ?>">
+                                                <img style="padding: 0 0 0 36px;" src="/list/rrd/image.php?/rrd/<?php echo $data[$key]['TYPE']."/".$period."-".$data[$key]['RRD'].".png" ?>">
                                             </td>
                                         </tr>
                                     </table>