Checkmk git commits October 2013

checkmk-commits@lists.checkmk.com

6 participants
384 discussions

Check_MK Git: check_mk: LDAP: Added option to make group and role sync plugin handle nested groups

by Lars Michelsen

Module: check_mk Branch: master Commit: 4c36596a6c7082c9a3dad86df308503727df1549 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4c36596a6c7082… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Wed Oct 23 10:23:48 2013 +0200 LDAP: Added option to make group and role sync plugin handle nested groups --- ChangeLog | 4 ++++ web/htdocs/wato.py | 30 +++++++++++++++++++++------ web/plugins/userdb/ldap.py | 49 +++++++++++++++++++++++++++++++++++--------- 3 files changed, 67 insertions(+), 16 deletions(-) diff --git a/ChangeLog b/ChangeLog index c22bec4..759029d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ * Wiki Sidebar Snapin: showing navigation and quicksearch. OMD only. * Sidebar can now be folded. Simply click somewhere at the left 10 pixels. * Foldable sections now have an animated triangle icon that shows the folding state + * LDAP: Added option to make group and role sync plugin handle nested + groups (only in Active Directory at the moment). Enabling this + feature might increase the sync time a lot - use only when really needed. * FIX: Fixed encoding problem in webservice column output * FIX: Fix output format python for several numeric columns * FIX: Fixed searching hosts by aliases/adresses @@ -87,6 +90,7 @@ distributed WATO (available in the "Distributed Monitoring") * bulk inventory: display percentage in progress bar * New option for full SNMP scan in bulk inventory + * LDAP: Added test to validate the configured role sync groups * FIX: correct display of number of hosts in bulk inventory * FIX: nailed down ".siteid" exception when added new site * FIX: fixed setting for locking mode from 'ait' to 'wait' diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index 6602edd..78d053a 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -5624,12 +5624,30 @@ def mode_ldap_config(phase): else: return (False, msg) + def test_groups_to_roles(address): + if 'groups_to_roles' not in config.ldap_active_plugins: + return True, _('Skipping this test (Plugin is not enabled)') + + userdb.ldap_connect(enforce_new = True, enforce_server = address) + num = 0 + for role_id, dn in config.ldap_active_plugins['groups_to_roles'].items(): + if isinstance(dn, str): + num += 1 + try: + ldap_groups = userdb.ldap_get_groups('(distinguishedName=%s)' % dn) + if not ldap_groups: + return False, _('Could not find the group specified for role %s') % role_id + except Exception, e: + return False, _('Error while fetching group for role %s: %s') % (role_id, str(e)) + return True, _('Found all %d groups.') % num + tests = [ - (_('Connect'), test_connect), - (_('User Base-DN'), test_user_base_dn), - (_('Count Users'), test_user_count), - (_('Group Base-DN'), test_group_base_dn), - (_('Count Groups'), test_group_count), + (_('Connect'), test_connect), + (_('User Base-DN'), test_user_base_dn), + (_('Count Users'), test_user_count), + (_('Group Base-DN'), test_group_base_dn), + (_('Count Groups'), test_group_count), + (_('Sync-Plugin: Roles'), test_groups_to_roles), ] for address in userdb.ldap_servers(): @@ -5642,7 +5660,7 @@ def mode_ldap_config(phase): state, msg = test(address) except Exception, e: state = False - msg = _('Exception: %s') % e + msg = _('Exception: %s') % html.attrencode(e) if state: img = '<img src="images/icon_success.gif" alt="%s" />' % _('Success') diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py index 4aa68d3..77faf2e 100644 --- a/web/plugins/userdb/ldap.py +++ b/web/plugins/userdb/ldap.py @@ -505,7 +505,7 @@ def ldap_get_groups(add_filt = None): filt = '(&%s%s)' % (filt, add_filt) return ldap_search(ldap_replace_macros(config.ldap_groupspec['dn']), filt, ['cn']) -def ldap_user_groups(username, user_dn, attr = 'cn'): +def ldap_user_groups(username, user_dn, attr = 'cn', nested = False): # When configured to convert user_ids to lower case, all user ids here are lower case. # Otherwise all user_ids are in the case which they are in LDAP. This should be ok # for this function! I removed the snippet below to reduce the number of ldap queries. @@ -515,11 +515,12 @@ def ldap_user_groups(username, user_dn, attr = 'cn'): # # so the username read from ldap might differ. Fix it here. # user_dn, username = ldap_get_user(username, True) - if username in g_ldap_group_cache: + cache_key = '%s-%s' % (username, nested and 'n' or 'f') + if cache_key in g_ldap_group_cache: if attr == 'cn': - return g_ldap_group_cache[username][0] + return g_ldap_group_cache[cache_key][0] else: - return g_ldap_group_cache[username][1] + return g_ldap_group_cache[cache_key][1] # posixGroup objects use the memberUid attribute to specify the group memberships. # This is the username instead of the users DN. So the username needs to be used @@ -531,7 +532,10 @@ def ldap_user_groups(username, user_dn, attr = 'cn'): # Apply configured group ldap filter and only reply with groups # having the current user as member - add_filt = '(%s=%s)' % (ldap_member_attr(), ldap.filter.escape_filter_chars(user_filter)) + if config.ldap_connection['type'] and nested: + add_filt = '(member:1.2.840.113556.1.4.1941:=%s)' % ldap.filter.escape_filter_chars(user_dn) + else: + add_filt = '(%s=%s)' % (ldap_member_attr(), ldap.filter.escape_filter_chars(user_filter)) # First get all groups groups_cn = [] @@ -540,7 +544,7 @@ def ldap_user_groups(username, user_dn, attr = 'cn'): groups_cn.append(group['cn'][0]) groups_dn.append(dn) - g_ldap_group_cache.setdefault(username, (groups_cn, groups_dn)) + g_ldap_group_cache.setdefault(cache_key, (groups_cn, groups_dn)) if attr == 'cn': return groups_cn @@ -744,7 +748,7 @@ register_user_attribute_sync_plugins() def ldap_convert_groups_to_contactgroups(params, user_id, ldap_user, user): groups = [] # 1. Fetch CNs of all LDAP groups of the user (use group_dn, group_filter) - ldap_groups = ldap_user_groups(user_id, ldap_user['dn']) + ldap_groups = ldap_user_groups(user_id, ldap_user['dn'], nested = params.get('nested', False)) # 2. Fetch all existing group names in WATO cg_names = load_group_information().get("contact", {}).keys() @@ -759,20 +763,32 @@ ldap_attribute_plugins['groups_to_contactgroups'] = { 'contactgroup must match the common name (cn) of the LDAP group.'), 'convert': ldap_convert_groups_to_contactgroups, 'lock_attributes': ['contactgroups'], - 'no_param_txt': _('Add user to all contactgroups where the common name matches the group name.'), + 'parameters': [ + ('nested', FixedValue( + title = _('Handle nested group memberships (Active Directory only at the moment)'), + help = _('Once you enable this option, this plugin will not only handle direct ' + 'group memberships, instead it will also dig into nested groups and treat ' + 'the members of those groups as contact group members as well. Please mind ' + 'that this feature might increase the execution time of your LDAP sync.'), + value = True, + totext = _('Nested group memberships are resolved'), + ) + ) + ], } def ldap_convert_groups_to_roles(params, user_id, ldap_user, user): groups = [] # 1. Fetch DNs of all LDAP groups of the user - ldap_groups = [ g.lower() for g in ldap_user_groups(user_id, ldap_user['dn'], 'dn') ] + ldap_groups = [ g.lower() for g in ldap_user_groups(user_id, ldap_user['dn'], + attr = 'dn', nested = params.get('nested', False)) ] # 2. Load default roles from default user profile roles = config.default_user_profile['roles'][:] # 3. Loop all roles mentioned in params (configured to be synchronized) for role_id, dn in params.items(): - if dn.lower() in ldap_groups and role_id not in roles: + if isinstance(dn, str) and dn.lower() in ldap_groups and role_id not in roles: roles.append(role_id) return {'roles': roles} @@ -788,6 +804,19 @@ def ldap_list_roles_with_group_dn(): size = 80, enforce_suffix = ldap_replace_macros(config.ldap_groupspec.get('dn', '')), ))) + + elements.append( + ('nested', FixedValue( + title = _('Handle nested group memberships (Active Directory only at the moment)'), + help = _('Once you enable this option, this plugin will not only handle direct ' + 'group memberships, instead it will also dig into nested groups and treat ' + 'the members of those groups as contact group members as well. Please mind ' + 'that this feature might increase the execution time of your LDAP sync.'), + value = True, + totext = _('Nested group memberships are resolved'), + ) + ) + ) return elements ldap_attribute_plugins['groups_to_roles'] = {

10 years, 11 months

Check_MK Git: check_mk: Allow another enterprise ids introduced as a bug some genuscreen versions

by Götz Golla

Module: check_mk Branch: master Commit: e880eb02fcf2461fe04311ffc6abf46442bf8bfb URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=e880eb02fcf246… Author: Götz Golla <gg(a)mathias-kettner.de> Date: Tue Oct 22 17:16:40 2013 +0200 Allow another enterprise ids introduced as a bug some genuscreen versions --- checkman/genua_carp | 4 +++- checks/genua_carp | 37 ++++++++++++++++++++----------------- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/checkman/genua_carp b/checkman/genua_carp index 38f418f..3407638 100644 --- a/checkman/genua_carp +++ b/checkman/genua_carp @@ -14,7 +14,9 @@ description: For a cluster the check determines the number of carp interfaces on the cluster with the state master. If it is either {0} or {>1} the check is critical. - The check is known to run with genuscreen version 3.0, others may also work. + The check is known to run with genuscreen version 3.0 and supports genuas regular + enterprise id 3717 as well as the id 3137 which was introduced in a bug in some + versions of genuscreen. perfdata: None diff --git a/checks/genua_carp b/checks/genua_carp index f84faa4..800da49 100644 --- a/checks/genua_carp +++ b/checks/genua_carp @@ -42,6 +42,9 @@ def inventory_genua_carp(info): inventory = [] + # remove empty elements due to two alternative enterprise ids in snmp_info + info = filter(None, info) + if info[0]: for ifIndex, ifName, ifType, ifLinkState, ifCarpState in info[0]: if ifCarpState in [ "0", "1", "2" ]: @@ -84,11 +87,15 @@ def genua_carpstate(st): def check_genua_carp(item, _no_params, info): + # remove empty elements due to two alternative enterprise ids in snmp_info + info = filter(None, info) + if not info[0]: return(3, "Invalid Output from Agent") state = 0 nodes = len(info) masters = 0 + output = "" if nodes > 1: prefix = "Cluster test: " else: @@ -102,13 +109,14 @@ def check_genua_carp(item, _no_params, info): ifLinkStateStr = genua_linkstate(str(ifLinkState)) ifCarpStateStr = genua_carpstate(str(ifCarpState)) # is inventorized interface in state carp master ? - if ifName == item: - output = "node in carp state %s with IfLinkState %s" \ - % (ifCarpStateStr,ifLinkStateStr) if ifName == item and ifCarpState == "2": # is master masters += 1 if masters == 1: + if nodes > 1: + output = "one " + output += "node in carp state %s with IfLinkState %s" \ + % (ifCarpStateStr,ifLinkStateStr) # first master if ifLinkState == "2": state = 0 @@ -120,10 +128,12 @@ def check_genua_carp(item, _no_params, info): state = 3 else: state = 2 - output = "%d masters found on cluster with %d nodes" \ - % (masters,nodes) + output = "%d nodes in carp state %s on cluster with %d nodes" \ + % (masters,ifCarpStateStr,nodes) # look for non-masters, only interesting if no cluster elif ifName == item and nodes == 1: + output = "node in carp state %s with IfLinkState %s" \ + % (ifCarpStateStr,ifLinkStateStr) # carp backup if ifCarpState == "1" and ifLinkState == "1": state = 0 @@ -143,27 +153,20 @@ check_info['genua_carp'] = { "check_function" : check_genua_carp, "service_description": "Carp Interface %s", "has_perfdata" : False, - "snmp_info" : [( ".1.3.6.1.4.1.3717.2.1.2",[ + "snmp_info" : [( ".1.3.6.1.4.1.3137.2.1.2",[ "1.1", # "ifIndex" "1.2", # "ifName" "1.3", # "ifType" "1.4", # "ifLinkState" "1.7", # "ifCarpState" - ])], - "snmp_scan_function" : lambda oid: "genuscreen" in oid(".1.3.6.1.2.1.1.1.0").lower() -} - -check_info['genua_carp_bad_eoid'] = { - "inventory_function" : inventory_genua_carp, - "check_function" : check_genua_carp, - "service_description": "Carp Interface %s", - "has_perfdata" : False, - "snmp_info" : [( ".1.3.6.1.4.1.3137.2.1.2",[ + ]), + ( ".1.3.6.1.4.1.3717.2.1.2",[ "1.1", # "ifIndex" "1.2", # "ifName" "1.3", # "ifType" "1.4", # "ifLinkState" "1.7", # "ifCarpState" - ])], + ]), + ], "snmp_scan_function" : lambda oid: "genuscreen" in oid(".1.3.6.1.2.1.1.1.0").lower() }

10 years, 11 months

Check_MK Git: check_mk: New check to test for correlation of carp interface states on genuscreen devices

by Götz Golla

Module: check_mk Branch: master Commit: f530c885025f574da6972b07b82041145fad5199 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f530c885025f57… Author: Götz Golla <gg(a)mathias-kettner.de> Date: Tue Oct 22 17:18:32 2013 +0200 New check to test for correlation of carp interface states on genuscreen devices --- checkman/genua_state_correlation | 20 +++++++ checks/genua_state_correlation | 112 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 132 insertions(+) diff --git a/checkman/genua_state_correlation b/checkman/genua_state_correlation new file mode 100644 index 0000000..c459cf1 --- /dev/null +++ b/checkman/genua_state_correlation @@ -0,0 +1,20 @@ +title: Correlation of the state of carp interfaces on genuscreen devices +agents: snmp +catalog: hw/network/genua +license: GPL +distribution: check_mk +description: + This check monitors if the two carp interfaces found on genuscreen devices + have the same carp state. If not, the check is critical. + + The check is known to run with genuscreen version 3.0 and supports genuas regular + enterprise id 3717 as well as the id 3137 which was introduced in a bug in some + versions of genuscreen. + +perfdata: + None + +inventory: + The inventory process checks if the device has a system description OIDs (.1.3.6.1.2.1.1.2.0) + and if the name of this OID contains "genuscreen" (case insensitive). + If this is true the system is inventorized. diff --git a/checks/genua_state_correlation b/checks/genua_state_correlation new file mode 100644 index 0000000..482db93 --- /dev/null +++ b/checks/genua_state_correlation @@ -0,0 +1,112 @@ +#!/usr/bin/python +# -*- encoding: utf-8; py-indent-offset: 4 -*- +# +------------------------------------------------------------------+ +# | ____ _ _ __ __ _ __ | +# | / ___| |__ ___ ___| | __ | \/ | |/ / | +# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / | +# | | |___| | | | __/ (__| < | | | | . \ | +# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ | +# | | +# | Copyright Mathias Kettner 2013 mk(a)mathias-kettner.de | +# +------------------------------------------------------------------+ +# +# This file is part of Check_MK. +# The official homepage is at http://mathias-kettner.de/check_mk. +# +# check_mk is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation in version 2. check_mk is distributed +# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with- +# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU General Public License for more de- +# ails. You should have received a copy of the GNU General Public +# License along with GNU Make; see the file COPYING. If not, write +# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, +# Boston, MA 02110-1301 USA. + +# Example Agent Output: +# GENUA-MIB: + +#.1.3.6.1.4.1.3137.2.1.2.1.1.9 = INTEGER: 9 +#.1.3.6.1.4.1.3137.2.1.2.1.1.10 = INTEGER: 10 +#.1.3.6.1.4.1.3137.2.1.2.1.2.9 = STRING: "carp0" +#.1.3.6.1.4.1.3137.2.1.2.1.2.10 = STRING: "carp1" +#.1.3.6.1.4.1.3137.2.1.2.1.3.9 = INTEGER: 5 +#.1.3.6.1.4.1.3137.2.1.2.1.3.10 = INTEGER: 5 +#.1.3.6.1.4.1.3137.2.1.2.1.4.9 = INTEGER: 2 +#.1.3.6.1.4.1.3137.2.1.2.1.4.10 = INTEGER: 2 +#.1.3.6.1.4.1.3137.2.1.2.1.7.9 = INTEGER: 2 +#.1.3.6.1.4.1.3137.2.1.2.1.7.10 = INTEGER: 2 + + +def inventory_genua_state(info): + # remove empty elements due to two alternative enterprise ids in snmp_info + info = filter(None, info) + if info[0]: + numifs = 0 + for ifIndex, ifName, ifType, ifLinkState, ifCarpState in info[0]: + if ifCarpState in [ "0", "1", "2" ]: + numifs += 1 + # inventorize only if we find at least two carp interfaces + if numifs > 1: + return [(None, None)] + return None + +def genua_state_str(st): + names = { + '0' : 'init', + '1' : 'backup', + '2' : 'master', + } + return names.get(st, st) + +def check_genua_state(item, _no_params, info): + + # remove empty elements due to two alternative enterprise ids in snmp_info + info = filter(None, info) + if not info[0]: + return(3, "Invalid Output from Agent") + + state = 0 + output = "Node test:" + carp_info = [] + + for ifIndex, ifName, ifType, ifLinkState, ifCarpState in info[0]: + if ifType == "6": + carp_info.append((ifIndex, ifName, ifType, ifLinkState, ifCarpState)) + + if len(carp_info) != 2: + return(3, "Number of carp interfaces is %d, needs to be 2" % len(carp_info)) + + # Output formatieren + output += " %s:%s %s:%s" % (carp_info[0][1], genua_state_str(carp_info[0][4])\ + , carp_info[1][1], genua_state_str(carp_info[1][4])) + + # critical if the two carp interfaces dont have the same state + if carp_info[0][4] != carp_info[1][4]: + state = 2 + + return(state, output) + +check_info['genua_state_correlation'] = { + "inventory_function" : inventory_genua_state, + "check_function" : check_genua_state, + "service_description": "Carp Correlation", + "has_perfdata" : False, + "snmp_info" : [( ".1.3.6.1.4.1.3717.2.1.2",[ + "1.1", # "ifIndex" + "1.2", # "ifName" + "1.3", # "ifType" + "1.4", # "ifLinkState" + "1.7", # "ifCarpState" + ]), + ( ".1.3.6.1.4.1.3137.2.1.2",[ + "1.1", # "ifIndex" + "1.2", # "ifName" + "1.3", # "ifType" + "1.4", # "ifLinkState" + "1.7", # "ifCarpState" + ])], + "snmp_scan_function" : lambda oid: "genuscreen" in oid(".1.3.6.1.2.1.1.1.0").lower() + #"snmp_scan_function" : lambda oid: oid(".1.3.6.1.4.1.3717.2.1.2.1.7") != None +}

10 years, 11 months

Check_MK Git: check_mk: FIX: Added code to prevent injection of bogus varnames

by Lars Michelsen

Module: check_mk Branch: master Commit: 9a88392d2b4b5c4d9e35e5aa23e00bb1d1661611 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9a88392d2b4b5c… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Oct 22 16:30:36 2013 +0200 FIX: Added code to prevent injection of bogus varnames --- ChangeLog | 2 ++ web/htdocs/html_mod_python.py | 10 +++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a91c9ce..c22bec4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,8 @@ * FIX: Remove duplicate entries from Quicksearch * FIX: Avoid timed browser reload after execution of exections * FIX: Hosttag filter now works in service related views + * FIX: Added code to prevent injection of bogus varnames + (This might break code which uses some uncommon chars for varnames) BI: * FIX: Fix exception when showing BI tree in reporting time warp diff --git a/web/htdocs/html_mod_python.py b/web/htdocs/html_mod_python.py index a48f313..e794044 100644 --- a/web/htdocs/html_mod_python.py +++ b/web/htdocs/html_mod_python.py @@ -1,8 +1,10 @@ from mod_python import Cookie, util, apache import htmllib -import os, time, config, weblib +import os, time, config, weblib, re import defaults +varname_regex = re.compile('^[\w\d_-]+$') + class html_mod_python(htmllib.html): def __init__(self, req): @@ -45,6 +47,12 @@ class html_mod_python(htmllib.html): for field in fields.list: varname = field.name value = field.value + + # To prevent variours injections, we only allow a defined set + # of characters to be used in variables + if not varname_regex.match(varname): + continue + # Multiple occurrance of a variable? Store in extra list dict if varname in self.vars: if varname in self.listvars:

10 years, 11 months

Check_MK Git: check_mk: FIX: Improved user provided variable validation in inventory dialog

by Lars Michelsen

Module: check_mk Branch: master Commit: fe2b2122087a2d3f9e58a000ebc89f2eddf3f47b URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=fe2b2122087a2d… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Oct 22 15:48:15 2013 +0200 FIX: Improved user provided variable validation in inventory dialog --- ChangeLog | 1 + web/htdocs/wato.py | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index bc9b138..a91c9ce 100644 --- a/ChangeLog +++ b/ChangeLog @@ -604,6 +604,7 @@ * FIX: check_ldap: Removed duplicate "-H" definition * FIX: Fixed some output encoding problem in snapshot restore / deletion code * FIX: Improved user provided variable validation in snapshot handling code + * FIX: Improved user provided variable validation in inventory dialog Event Console: * FIX: apply rewriting of application/hostname also when cancelling events diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index 95951d2..5ba6745 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -2288,6 +2288,7 @@ def show_service_table(host, firsttime): first = True trclass = "even" for st, ct, checkgroup, item, paramstring, params, descr, state, output, perfdata in table: + item = html.attrencode(item or 'None') if state_type != st: continue if first: @@ -2307,7 +2308,7 @@ def show_service_table(host, firsttime): # Status, Checktype, Item, Description, Check Output html.write("<td class=\"%s\">%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td>" % - (stateclass, statename, ct, item, descr, output)) + (stateclass, statename, ct, item, html.attrencode(descr), html.attrencode(output))) # Icon for Rule editor, Check parameters html.write("<td>")

10 years, 11 months

Check_MK Git: check_mk: Fixed WATO changes label - code is now being escaped

by Lars Michelsen

Module: check_mk Branch: master Commit: 2844a792f977105aae310fe11d617673d2b93077 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2844a792f97710… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Oct 22 16:50:53 2013 +0200 Fixed WATO changes label - code is now being escaped --- web/htdocs/wato.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index 5ba6745..6602edd 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -13946,7 +13946,7 @@ def search_button(): def changelog_button(): pending = parse_audit_log("pending") if len(pending) > 0: - buttontext = "<b>%d " % len(pending) + _("Changes") + "</b>" + buttontext = "%d " % len(pending) + _("Changes") hot = True icon = "wato_changes" else:

10 years, 11 months

Check_MK Git: check_mk: Trying to escape some more vars in generic places - hopefully leaves most things working

by Lars Michelsen

Module: check_mk Branch: master Commit: 2a84188258a2de48e589a04b89d653ac9d8e77f3 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2a84188258a2de… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Oct 22 16:32:18 2013 +0200 Trying to escape some more vars in generic places - hopefully leaves most things working --- web/htdocs/htmllib.py | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index 0be74f0..c26a0da 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -163,11 +163,13 @@ class html: else: enctype = '' if onsubmit: - onsubmit = ' onsubmit="%s"' % onsubmit + onsubmit = ' onsubmit="%s"' % self.attrencode(onsubmit) else: onsubmit = '' + enc_name = self.attrencode(name) self.write('<form id="form_%s" name="%s" class="%s" action="%s" method="%s"%s%s>\n' % - (name, name, name, action, method, enctype, onsubmit)) + (enc_name, enc_name, enc_name, self.attrencode(action), self.attrencode(method), + enctype, onsubmit)) self.hidden_field("filled_in", name) if add_transid: self.hidden_field("_transid", str(self.fresh_transid())) @@ -199,7 +201,7 @@ class html: def hidden_field(self, var, value, id = None, add_var = False): if value != None: - id = id and ' id="%s"' % id or '' + id = id and ' id="%s"' % self.attrencode(id) or '' self.write("<input type=\"hidden\" name=\"%s\" value=\"%s\"%s />" % (self.attrencode(var), self.attrencode(value), id)) if add_var: @@ -254,7 +256,7 @@ class html: def image_button(self, varname, title, cssclass = ''): if not self.mobile: - self.write('<label for="%s" class="image_button">' % varname) + self.write('<label for="%s" class="image_button">' % self.attrencode(varname)) self.raw_button(varname, title, cssclass) if not self.mobile: self.write('</label>') @@ -483,7 +485,8 @@ class html: for value, text in options: if value == None: value = "" sel = value == current and " selected" or "" - self.write("<option value=\"%s\"%s>%s</option>\n" % (value, sel, text)) + self.write("<option value=\"%s\"%s>%s</option>\n" % + (self.attrencode(value), sel, self.attrencode(text))) self.write("</select>\n") if varname: self.form_vars.append(varname) @@ -496,7 +499,8 @@ class html: if value == None: value = "" sel = value == current and " selected" or "" self.write('<option style="background-image:url(images/icon_%s.png);" ' - 'value=\"%s\"%s>%s</option>\n' % (icon, value, sel, text)) + 'value=\"%s\"%s>%s</option>\n' % + (icon, self.attrencode(value), sel, self.attrencode(text))) self.write("</select>\n") if varname: self.form_vars.append(varname) @@ -518,12 +522,12 @@ class html: checked = self.var(varname) == value checked_text = checked and " checked" or "" if label: - id = "rb_%s_%s" % (varname, value) + id = "rb_%s_%s" % (varname, self.attrencode(value)) idtxt = ' id="%s"' % id else: idtxt = "" self.write("<input type=radio name=%s value=\"%s\"%s%s>\n" % - (varname, value, checked_text, idtxt)) + (varname, self.attrencode(value), checked_text, idtxt)) if label: self.write('<label for="%s">%s</label>\n' % (id, label)) self.form_vars.append(varname)

10 years, 11 months

Check_MK Git: check_mk: FIX: Improved user provided variable validation in view code

by Lars Michelsen

Module: check_mk Branch: master Commit: 6ecb1a6fe7e77ee0e4b5df938f1f5a864e18dd68 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=6ecb1a6fe7e77e… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Oct 22 14:59:13 2013 +0200 FIX: Improved user provided variable validation in view code --- ChangeLog | 1 + web/htdocs/htmllib.py | 14 ++++++++------ web/htdocs/views.py | 4 +++- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index a5c9951..bc9b138 100644 --- a/ChangeLog +++ b/ChangeLog @@ -588,6 +588,7 @@ folders that do not exist locally * FIX: correctly display sub-minute check/retry intervals * FIX: fix logic of some numeric sorters + * FIX: Improved user provided variable validation in view code WATO: * FIX: fix layout of Auxiliary tags table diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index 115fef1..0be74f0 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -346,6 +346,7 @@ class html: self.context_buttons_open = False def context_button(self, title, url, icon=None, hot=False, id=None, bestof=None, hover_title='', fkey=None): + title = self.attrencode(title) display = "block" if bestof: counts = self.get_button_counts() @@ -360,22 +361,23 @@ class html: self.begin_context_buttons() if icon: - title = '<img src="images/icon_%s.png">%s' % (icon, title) + title = '<img src="images/icon_%s.png">%s' % (self.attrencode(icon), self.attrencode(title)) if id: - idtext = " id='%s'" % id + idtext = " id='%s'" % self.attrencode(id) else: idtext = "" - self.write('<div%s style="display:%s" class="contextlink%s%s" ' % (idtext, display, hot and " hot" or "", (fkey and self.keybindings_enabled) and " button" or "")) + self.write('<div%s style="display:%s" class="contextlink%s%s" ' % + (idtext, display, hot and " hot" or "", (fkey and self.keybindings_enabled) and " button" or "")) self.context_button_hover_code(hot and "_hot" or "") self.write('>') - self.write('<a href="%s"' % url) + self.write('<a href="%s"' % self.attrencode(url)) if hover_title: - self.write(' title="%s"' % hover_title) + self.write(' title="%s"' % self.attrencode(hover_title)) if bestof: self.write(' onclick="count_context_button(this); document.location=this.href; " ') if fkey and self.keybindings_enabled: title += '<div class=keysym>F%d</div>' % fkey - self.add_keybinding([html.F1 + (fkey - 1)], "document.location='%s';" % url) + self.add_keybinding([html.F1 + (fkey - 1)], "document.location='%s';" % self.attrencode(url)) self.write('>%s</a></div>\n' % title) def context_button_hover_code(self, what): diff --git a/web/htdocs/views.py b/web/htdocs/views.py index 5958fc0..f88a4f6 100644 --- a/web/htdocs/views.py +++ b/web/htdocs/views.py @@ -500,6 +500,8 @@ def page_edit_view(): if cloneuser: mode = 'clone' view = copy.deepcopy(html.multisite_views.get((cloneuser, viewname), None)) + if not view: + raise MKUserError('cloneuser', _('The view does not exist.')) # Make sure, name is unique if cloneuser == config.user_id: # Clone own view newname = viewname + "_clone" @@ -1135,7 +1137,7 @@ def page_view(): raise MKGeneralException(_("Missing the variable view_name in the URL.")) view = html.available_views.get(view_name) if not view: - raise MKGeneralException(("No view defined with the name '%s'.") % view_name) + raise MKGeneralException(("No view defined with the name '%s'.") % html.attrencode(view_name)) show_view(view, True, True, True)

10 years, 11 months

Check_MK Git: check_mk: Fixed invalid function call in latest change

by Lars Michelsen

Module: check_mk Branch: master Commit: ac4d50feeaf6732fc2b81b23361a405f82e6906f URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ac4d50feeaf673… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Oct 22 15:16:53 2013 +0200 Fixed invalid function call in latest change --- web/htdocs/sidebar.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/htdocs/sidebar.py b/web/htdocs/sidebar.py index 672c2af..f8c6ddc 100644 --- a/web/htdocs/sidebar.py +++ b/web/htdocs/sidebar.py @@ -565,7 +565,7 @@ def ajax_del_bookmark(): try: del bookmarks[num] except IndexError: - raise MKGeneralException(_("Unknown bookmark id: %d. This is probably a problem with reload or browser history. Please try again.") % htmllib.attrencode(num)) + raise MKGeneralException(_("Unknown bookmark id: %d. This is probably a problem with reload or browser history. Please try again.") % html.attrencode(num)) save_bookmarks(bookmarks) render_bookmarks() @@ -597,7 +597,7 @@ def page_edit_bookmark(): raise MKGeneralException(_("Invalid bookmark id.")) bookmarks = load_bookmarks() if n >= len(bookmarks): - raise MKGeneralException(_("Unknown bookmark id: %d. This is probably a problem with reload or browser history. Please try again.") % htmllib.attrencode(n)) + raise MKGeneralException(_("Unknown bookmark id: %d. This is probably a problem with reload or browser history. Please try again.") % html.attrencode(n)) if html.var("save") and html.check_transaction(): title = html.var("title")

10 years, 11 months

Check_MK Git: check_mk: Fixed injection in bookmark edit page

by Lars Michelsen

Module: check_mk Branch: master Commit: 248d88b4fcd20f34e39853ae5cb20d35bbd2e81c URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=248d88b4fcd20f… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Oct 22 15:12:08 2013 +0200 Fixed injection in bookmark edit page --- web/htdocs/sidebar.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/web/htdocs/sidebar.py b/web/htdocs/sidebar.py index d932919..8435f4e 100644 --- a/web/htdocs/sidebar.py +++ b/web/htdocs/sidebar.py @@ -585,7 +585,10 @@ def ajax_add_bookmark(): def page_edit_bookmark(): html.header(_("Edit Bookmark")) - n = int(html.var("num")) + try: + n = int(html.var("num")) + except ValueError: + raise MKGeneralException(_("Invalid bookmark id.")) bookmarks = load_bookmarks() if n >= len(bookmarks): raise MKGeneralException(_("Unknown bookmark id: %d. This is probably a problem with reload or browser history. Please try again.") % n)

10 years, 11 months

← Newer
1
...
7
8
9
10
11
12
13
...
39
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

Checkmk git commits October 2013