Module: check_mk
Branch: master
Commit: b35e2492f520f2f770ec927fc2b153e0549d3533
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=b35e2492f520f2…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Dec 3 09:11:34 2014 +0100
#1587 SEC Prevent logging of passwords during initial distributed site login
When creating a distributed monitoring setup using WATO, after configuring
a remote site in the central site, you need to login into the remote site
as admin user once to establish a trust between both sites.
This login was made using a HTTP get request, which is logged in the access
logs of the affected webservers (local system apache, local site apache,
remote system apache, remote site apache). All these log entries contain the
whole GET query string, which also includes the inserted username and password.
This has been fixed by replacing the GET request with a POST request where
the request vars are not logged in the access log.
---
.werks/1587 | 19 +++++++++++++++++++
ChangeLog | 1 +
web/htdocs/wato.py | 17 +++++++++++------
3 files changed, 31 insertions(+), 6 deletions(-)
diff --git a/.werks/1587 b/.werks/1587
new file mode 100644
index 0000000..7e5fcdd
--- /dev/null
+++ b/.werks/1587
@@ -0,0 +1,19 @@
+Title: Prevent logging of passwords during initial distributed site login
+Level: 1
+Component: wato
+Compatible: compat
+Version: 1.2.5i7
+Date: 1417594096
+Class: security
+
+When creating a distributed monitoring setup using WATO, after configuring
+a remote site in the central site, you need to login into the remote site
+as admin user once to establish a trust between both sites.
+
+This login was made using a HTTP get request, which is logged in the access
+logs of the affected webservers (local system apache, local site apache,
+remote system apache, remote site apache). All these log entries contain the
+whole GET query string, which also includes the inserted username and password.
+
+This has been fixed by replacing the GET request with a POST request where
+the request vars are not logged in the access log.
diff --git a/ChangeLog b/ChangeLog
index b55f0b1..1d16e40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -104,6 +104,7 @@
* 1495 Most WATO tables can now be sorted (where useful)...
* 1504 WATO makes host tag and group information available for NagVis...
* 1535 Disabled services on service discovery page now link to the ruleset
+ * 1587 SEC: Prevent logging of passwords during initial distributed site login...
* 1165 FIX: Fixed exception in service discovery of logwatch event console forwarding checks...
* 1490 FIX: Timperiod excludes can now even be configured when creating a timeperiod...
* 1491 FIX: Fixed bug in dynamic lists where removing an item was not always possible...
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index e69ca57..089e6bb 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -9877,7 +9877,7 @@ def mode_sites(phase):
"the initial handshake and not be stored. If the login is "
"successful then both side will exchange a login secret "
"which is used for the further remote calls.") % site["alias"])
- html.begin_form("login")
+ html.begin_form("login", method="POST")
html.write("<table class=form>")
html.write("<tr><td class=legend>%s</td>" % _("Administrator login"))
html.write("<td class=content>")
@@ -10561,15 +10561,20 @@ def do_site_login(site_id, name, password):
# Trying basic auth AND form based auth to ensure the site login works.
# Adding _ajaxid makes the web service fail silently with an HTTP code and
# not output HTML code for an error screen.
- url = site["multisiteurl"] + 'login.py?_login=1' \
- '&_username=%s&_password=%s&_origtarget=automation_login.py&_plain_error=1' % \
- (name, password)
- response = get_url(url, site.get('insecure', False), name, password).strip()
+ url = site["multisiteurl"] + 'login.py'
+ post_data = html.urlencode_vars([
+ ('_login', '1'),
+ ('_username', name),
+ ('_password', password),
+ ('_origtarget', 'automation_login.py'),
+ ('_plain_error', '1'),
+ ])
+ response = get_url(url, site.get('insecure', False), name, password, post_data=post_data).strip()
if '<html>' in response.lower():
message = _("Authentication to web service failed.<br>Message:<br>%s") % \
html.strip_tags(html.strip_scripts(response))
if config.debug:
- message += "<br>Automation URL: <tt>%s</tt><br>" % url
+ message += "<br>" + _("Automation URL:") + " <tt>%s</tt><br>" % url
raise MKAutomationException(message)
elif not response:
raise MKAutomationException(_("Empty response from web service"))
Module: check_mk
Branch: master
Commit: e860032acb15b8a8159da4601842467eddb06a8e
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=e860032acb15b8…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Dec 2 15:50:33 2014 +0100
#1585 FIX Dashboard: Fixed mass client CPU load consumption when making graph dashlets too small
When PNP graph dashlets were too small, the PNP graph resizing code could get into
a situation where continous HTTP requests were made to get a smaller PNP graph where
it was not possible to get a smaller one. This resulted in a lot of CPU load by the
browser on the client host.
---
.bugs/2230 | 7 +++++--
.werks/1585 | 12 ++++++++++++
ChangeLog | 1 +
web/plugins/dashboard/dashlets.py | 22 ++++++++++++++++++++++
4 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/.bugs/2230 b/.bugs/2230
index 8e1be6f..2751767 100644
--- a/.bugs/2230
+++ b/.bugs/2230
@@ -1,9 +1,9 @@
Title: Dashboard javascript goes to 100% CPU if PNP graph cannot be rendered
Component: multisite
-State: open
+Class: bug
+State: done
Date: 2014-12-01 08:10:12
Targetversion: 1.2.5i1
-Class: bug
This happened with the following dashboard in a case where the rightmost
PNP graph was not displayabe because the size of the screen was too
@@ -358,3 +358,6 @@ small:
'single_infos': [],
'title': u'Main Graph View',
'topic': u'Overview'}}
+
+2014-12-02 15:47:35: changed state open -> done
+Fixed.
diff --git a/.werks/1585 b/.werks/1585
new file mode 100644
index 0000000..99881a6
--- /dev/null
+++ b/.werks/1585
@@ -0,0 +1,12 @@
+Title: Dashboard: Fixed mass client CPU load consumption when making graph dashlets too small
+Level: 1
+Component: multisite
+Compatible: compat
+Version: 1.2.5i7
+Date: 1417531745
+Class: fix
+
+When PNP graph dashlets were too small, the PNP graph resizing code could get into
+a situation where continous HTTP requests were made to get a smaller PNP graph where
+it was not possible to get a smaller one. This resulted in a lot of CPU load by the
+browser on the client host.
diff --git a/ChangeLog b/ChangeLog
index ba88009..682974f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -94,6 +94,7 @@
* 1578 FIX: Folding states of containers with umlauts in titles are now persisted...
* 1580 FIX: Views: Hardcoded single context filters are not shown in filter form anymore...
* 1581 FIX: Single context views with missing context show an error message now...
+ * 1585 FIX: Dashboard: Fixed mass client CPU load consumption when making graph dashlets too small...
WATO:
* 1170 Added buttons to move rules to top/bottom of the list to ruleset edit dialog
diff --git a/web/plugins/dashboard/dashlets.py b/web/plugins/dashboard/dashlets.py
index 5ed326b..7e8e03c 100644
--- a/web/plugins/dashboard/dashlets.py
+++ b/web/plugins/dashboard/dashlets.py
@@ -385,6 +385,7 @@ dashlet_types["pnpgraph"] = {
var dashlet_offsets = {};
function dashboard_render_pnpgraph(nr, img_url)
{
+ // Get the target size for the graph from the inner dashlet container
var inner = document.getElementById('dashlet_inner_' + nr);
var c_w = inner.clientWidth;
var c_h = inner.clientHeight;
@@ -397,6 +398,12 @@ function dashboard_render_pnpgraph(nr, img_url)
container.appendChild(img);
}
+ // This handler is called after loading the configured graph image to verify
+ // it fits into the inner dashlet container.
+ // One could think that it can simply be solved by requesting an image of the
+ // given size from PNP/rrdtool, but this is not the case. When we request an
+ // image of a specified size, this size is used for the graphing area. The
+ // resulting image has normally labels which are added to the requested size.
img.onload = function(nr, url, w, h) {
return function() {
var i_w = this.clientWidth;
@@ -410,14 +417,29 @@ function dashboard_render_pnpgraph(nr, img_url)
return; // Finished resizing
}
+ // When the target height is smaller or equal to 81 pixels, PNP
+ // returns an image which has no labels, just the graph, which has
+ // exactly the requested height. In this situation no further resizing
+ // is needed.
if (h <= 81 || h - y_diff <= 81) {
this.style.width = '100%';
this.style.height = '100%';
return;
}
+ // Save the sizing differences between the requested size and the
+ // resulting size. This is, in fact, the size of the graph labels.
+ // load_graph_img() uses these dimensions to try to get an image
+ // which really fits the requested dimensions.
if (typeof dashlet_offsets[nr] == 'undefined') {
dashlet_offsets[nr] = [x_diff, y_diff];
+ } else if (dashlet_offsets[nr][0] != x_diff || dashlet_offsets[nr][1] != y_diff) {
+ // was not successful in getting a correctly sized image. Seems
+ // that PNP/rrdtool was not able to render this size. Terminate
+ // and automatically scale to 100%/100%
+ this.style.width = '100%';
+ this.style.height = '100%';
+ return;
}
load_graph_img(nr, this, url, w, h);
Module: check_mk
Branch: master
Commit: 42c98329294e6873bc6bd52e035ae733e01a0cc2
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=42c98329294e68…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Dec 2 11:35:38 2014 +0100
Updated bug entries #1009, #1068
---
.bugs/1009 | 7 +++++--
.bugs/1068 | 8 ++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/.bugs/1009 b/.bugs/1009
index 3d80416..515a65d 100644
--- a/.bugs/1009
+++ b/.bugs/1009
@@ -1,9 +1,12 @@
Title: quicksearch: combining host and service search no longer works
Component: multisite
-State: open
+Class: bug
+State: works4me
Date: 2014-11-05 22:13:21
Targetversion: future
-Class: bug
a search for services with 's: ' combined with a search for hosts with 'h: ...' always returns
ALL hosts with the selected services, not only the selected services on the selected hosts.
+
+2014-12-02 11:00:33: changed state open -> works4me
+Has already been fix. Seems like...
diff --git a/.bugs/1068 b/.bugs/1068
index b6792ff..2d37a9c 100644
--- a/.bugs/1068
+++ b/.bugs/1068
@@ -1,9 +1,9 @@
Title: check_mk_exit_status does not work for SNMP based devices
Component: checks
-State: open
+Class: bug
+State: works4me
Date: 2014-05-06 11:50:46
Targetversion: 1.2.5i1
-Class: bug
If you do checks on devices not switched on 24x7, you define a rule
"Status of Check_MK Service", which sets check_mk_exit_status
@@ -12,3 +12,7 @@ For devices using the Check_MK agent, this works fine.
For devices using SNMP it does not work.
But also maybe a printer (queried by SNMP) may be switched off during
none office hours.
+
+2014-12-02 11:35:13: changed state open -> works4me
+This works at least for connection problems. Needs to be analyzed for
+each case individually when it does not work.
Module: check_mk
Branch: master
Commit: 47ef4e64e068809c69a64de81b0112fb048cdf9f
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=47ef4e64e06880…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Dec 2 10:59:34 2014 +0100
Updated bug entries #2138, #2141
---
.bugs/2138 | 7 +++++--
.bugs/2141 | 7 +++++--
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/.bugs/2138 b/.bugs/2138
index 12411a9..6d96289 100644
--- a/.bugs/2138
+++ b/.bugs/2138
@@ -1,12 +1,15 @@
Title: Multisite does handle state, has_been_checked and initial_state wrong
Component: multisite
-State: open
+Class: bug
+State: wontfix
Date: 2014-07-24 13:10:32
Targetversion: future
-Class: bug
When a host/service has an initial_state configured and the host/service has
never been checked, it is always shown as pending host/service. The initial
state is not handled by multisite.
Livestatus provides the correct information.
+
+2014-12-02 10:57:06: changed state open -> wontfix
+The feature initial_state is not supported by multisite.
diff --git a/.bugs/2141 b/.bugs/2141
index fb8282f..f241a5a 100644
--- a/.bugs/2141
+++ b/.bugs/2141
@@ -1,7 +1,10 @@
Title: Single Host aggregations shows multiple aggregations per definition
Component: multisite
-State: open
+Class: bug
+State: works4me
Date: 2014-08-05 14:19:51
Targetversion: 1.2.5i1
-Class: bug
+
+2014-12-02 10:53:13: changed state open -> works4me
+Cna not produce a problem here.
Module: check_mk
Branch: master
Commit: 7bf1f1cb195feebe1958f2d61f245c1286127a36
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=7bf1f1cb195fee…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Dec 2 11:57:29 2014 +0100
#1582 FIX Fixed missing graphs in mails when sending notifications to non-contacts
When sending HTML mails to mail addresses or contacts which are not assigned to
a host or service, the graphs were missing in the HTML mails. This has been fixed
now. To make it fully working, you need to use the Check_MK Monitoring System builds.
---
.bugs/2204 | 7 +++++--
.werks/1582 | 11 +++++++++++
ChangeLog | 1 +
notifications/mail | 5 ++++-
4 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/.bugs/2204 b/.bugs/2204
index 9047c86..39483fe 100644
--- a/.bugs/2204
+++ b/.bugs/2204
@@ -1,9 +1,9 @@
Title: Make PNP graphs in notifications user independent
Component: core
-State: open
+Class: bug
+State: done
Date: 2014-11-18 10:18:50
Targetversion: 1.2.5i1
-Class: bug
When using bulk notifications to send mails to a non-contact, the graphs can not
be fetched from PNP, because there is no user context. This seems to need a patch
@@ -12,3 +12,6 @@ livestatus for permission on the service or host.
A possible good fix could be to patch pnp that the permission check is disabled
when executed from command line.
+
+2014-12-02 11:55:17: changed state open -> done
+Fixed.
diff --git a/.werks/1582 b/.werks/1582
new file mode 100644
index 0000000..68b157a
--- /dev/null
+++ b/.werks/1582
@@ -0,0 +1,11 @@
+Title: Fixed missing graphs in mails when sending notifications to non-contacts
+Level: 1
+Component: notifications
+Compatible: compat
+Version: 1.2.5i7
+Date: 1417517720
+Class: fix
+
+When sending HTML mails to mail addresses or contacts which are not assigned to
+a host or service, the graphs were missing in the HTML mails. This has been fixed
+now. To make it fully working, you need to use the Check_MK Monitoring System builds.
diff --git a/ChangeLog b/ChangeLog
index 3481d36..ade9e24 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -118,6 +118,7 @@
* 1512 Bulk notification can now be grouped according to custom macro values...
* 1168 FIX: HTML mails can now be configured to display graphs among each other...
* 1514 FIX: Try harder to detect previous hard state in notification when using Nagios as core...
+ * 1582 FIX: Fixed missing graphs in mails when sending notifications to non-contacts...
BI:
* 1435 FIX: Saving BI aggregations: No longer reports 'Request-URI Too Large'...
diff --git a/notifications/mail b/notifications/mail
index e77c21b..60ba26c 100755
--- a/notifications/mail
+++ b/notifications/mail
@@ -380,15 +380,18 @@ def fetch_pnp_data(context, params):
# Autodetect the path in OMD environments
path = "%s/share/pnp4nagios/htdocs/index.php" % context['OMD_ROOT']
php_save_path = "-d session.save_path=%s/tmp/php/session" % context['OMD_ROOT']
+ env = 'REMOTE_USER="check-mk" SKIP_AUTHORIZATION=1'
except:
# Non-omd environment - use plugin argument 1
path = context.get('PARAMETER_1', '')
php_save_path = "" # Using default path
+ skip_authorization = False
+ env = 'REMOTE_USER="%s"' % context['CONTACTNAME']
if not os.path.exists(path):
raise GraphException('Unable to locate pnp4nagios index.php (%s)' % path)
- return os.popen('REMOTE_USER="%s" php %s %s "%s"' % (context['CONTACTNAME'], php_save_path, path, params)).read()
+ return os.popen('%s php %s %s "%s"' % (env, php_save_path, path, params)).read()
def fetch_num_sources(context):
svc_desc = context['WHAT'] == 'HOST' and '_HOST_' or context['SERVICEDESC']