fix(security): validate sort_column and sort_direction against ORDER BY injection

Validate in both get_order_string() and update_order_string() to
prevent bypassing validation via cached session values. Restrict
sort_direction to ASC/DESC, sort_column to alphanumeric/dots/underscores.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

Author: somethingwithproof

remote_agent.php

@@ -145,6 +145,15 @@ function remote_client_authorized() {
 
 	$client_name = gethostbyaddr($client_addr);
 
+	/* Forward-verify PTR result to prevent DNS spoofing */
+	if ($client_name != $client_addr) {
+		$forward_addr = gethostbyname($client_name);
+		if ($forward_addr !== $client_addr) {
+			cacti_log('WARNING: PTR record for ' . $client_addr . ' resolves to ' . preg_replace('/[^a-zA-Z0-9.\-:]/', '', $client_name) . ' but forward lookup returns ' . $forward_addr . '. Rejecting.', false, 'AUTH');
+			return false;
+		}
+	}
+
 	if ($client_name == $client_addr) {
 		cacti_log('NOTE: Unable to resolve hostname from address ' . $client_addr, false, 'WEBUI', POLLER_VERBOSITY_MEDIUM);
 	}