Module: check_mk
Branch: master
Commit: 25c1c43bbbf78113008d6f658a4fdc6f25456568
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=25c1c43bbbf781…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 15:37:46 2015 +0200
Fixed computation of service descriptions when having unicode strings
---
modules/check_mk.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/modules/check_mk.py b/modules/check_mk.py
index 270b032..4399fe6 100755
--- a/modules/check_mk.py
+++ b/modules/check_mk.py
@@ -1265,13 +1265,14 @@ def service_description(check_type, item):
# can by empty in some cases. Nagios silently drops leading
# and trailing spaces in the configuration file.
- if type(item) == str:
+ item_type = type(item)
+ if item_type in [ str, unicode ]:
# Remove characters from item name that are banned by Nagios
item_safe = sanitize_service_description(item)
if "%s" not in descr_format:
descr_format += " %s"
return (descr_format % (item_safe,)).strip()
- if type(item) == int or type(item) == long:
+ elif item_type in [ int, long ]:
if "%s" not in descr_format:
descr_format += " %s"
return (descr_format % (item,)).strip()
Module: check_mk
Branch: master
Commit: 86a8383d0d992d96a0053e1759500ea56b721da9
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=86a8383d0d992d…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 13:46:06 2015 +0200
#2392 SEC Auth cookie is always using "httponly" flag
All newly issued authentication cookies have the flag "httponly"
set now. This makes the cookie values inaccessible from scripts
executed in the browser, e.g. from Javascript. This secures the
cookie against some sorts of cookie stealing attempts.
See https://www.owasp.org/index.php/HttpOnly for details.
---
.werks/2392 | 15 +++++++++++++++
ChangeLog | 1 +
web/htdocs/html_mod_python.py | 3 ++-
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/.werks/2392 b/.werks/2392
new file mode 100644
index 0000000..4b1a249
--- /dev/null
+++ b/.werks/2392
@@ -0,0 +1,15 @@
+Title: Auth cookie is always using "httponly" flag
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435664667
+
+All newly issued authentication cookies have the flag "httponly"
+set now. This makes the cookie values inaccessible from scripts
+executed in the browser, e.g. from Javascript. This secures the
+cookie against some sorts of cookie stealing attempts.
+
+See https://www.owasp.org/index.php/HttpOnly for details.
diff --git a/ChangeLog b/ChangeLog
index ec63693..90509c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,7 @@
* 2389 SEC: Fixed XSS using the _body_class parameter of views...
* 2390 SEC: Fixed possible XSS issue on views...
* 2391 SEC: Auth cookie is using "secure" flag when HTTPS request detected...
+ * 2392 SEC: Auth cookie is always using "httponly" flag...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/html_mod_python.py b/web/htdocs/html_mod_python.py
index 1c72e2f..c15d54c 100644
--- a/web/htdocs/html_mod_python.py
+++ b/web/htdocs/html_mod_python.py
@@ -70,7 +70,8 @@ class html_mod_python(htmllib.html):
return self.req.headers_in.get('X-Forwarded-Proto') == 'https'
def set_cookie(self, varname, value, expires = None):
- c = Cookie.Cookie(varname, value, path='/', secure=self.is_ssl_request())
+ # httponly tells the browser not to make this cookie available to Javascript
+ c = Cookie.Cookie(varname, value, path='/', secure=self.is_ssl_request(), httponly=True)
if expires is not None:
c.expires = expires
Module: check_mk
Branch: master
Commit: 46f0181efe57544c16f34c29d6d63ba40a7b024f
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=46f0181efe5754…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 13:19:10 2015 +0200
#2391 SEC Auth cookie is using "secure" flag when HTTPS request detected
In previous versions the authentication cookie, which identifies an
authenticated user with the GUI, was never using the "secure" flag.
This means the cookie was sent to the webserver when doing HTTP and
HTTPS requests. In such a situation a user which authenticated using
HTTPS could access the GUI using HTTP and was still authenticated
becaus the browser sends the HTTPS related cookie via HTTP. This is
some kind of security risk since the information which should only
be transported using the encrypted HTTPS requests could be transported
in clear text over the network using HTTP.
The GUI tries now to detect the HTTPS requests. In case a HTTPS
request is detected, the cookies are set with the "secure" flag
which makes the cookies only used via HTTPS.
The HTTPS detection currently checks wether or not the HTTP request
header <tt>X-Forwarded-Proto</tt> is set to <tt>https</tt>.
---
.werks/2391 | 25 +++++++++++++++++++++++++
ChangeLog | 1 +
web/htdocs/html_mod_python.py | 5 ++++-
3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/.werks/2391 b/.werks/2391
new file mode 100644
index 0000000..26f2bb2
--- /dev/null
+++ b/.werks/2391
@@ -0,0 +1,25 @@
+Title: Auth cookie is using "secure" flag when HTTPS request detected
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435662820
+
+In previous versions the authentication cookie, which identifies an
+authenticated user with the GUI, was never using the "secure" flag.
+This means the cookie was sent to the webserver when doing HTTP and
+HTTPS requests. In such a situation a user which authenticated using
+HTTPS could access the GUI using HTTP and was still authenticated
+becaus the browser sends the HTTPS related cookie via HTTP. This is
+some kind of security risk since the information which should only
+be transported using the encrypted HTTPS requests could be transported
+in clear text over the network using HTTP.
+
+The GUI tries now to detect the HTTPS requests. In case a HTTPS
+request is detected, the cookies are set with the "secure" flag
+which makes the cookies only used via HTTPS.
+
+The HTTPS detection currently checks wether or not the HTTP request
+header <tt>X-Forwarded-Proto</tt> is set to <tt>https</tt>.
diff --git a/ChangeLog b/ChangeLog
index 272e4b6..ec63693 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,7 @@
* 2388 SEC: Fixed reflected XSS on the index page using the start_url parameter
* 2389 SEC: Fixed XSS using the _body_class parameter of views...
* 2390 SEC: Fixed possible XSS issue on views...
+ * 2391 SEC: Auth cookie is using "secure" flag when HTTPS request detected...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/html_mod_python.py b/web/htdocs/html_mod_python.py
index 0d6a3f9..1c72e2f 100644
--- a/web/htdocs/html_mod_python.py
+++ b/web/htdocs/html_mod_python.py
@@ -66,8 +66,11 @@ class html_mod_python(htmllib.html):
except:
pass
+ def is_ssl_request(self):
+ return self.req.headers_in.get('X-Forwarded-Proto') == 'https'
+
def set_cookie(self, varname, value, expires = None):
- c = Cookie.Cookie(varname, value, path = '/')
+ c = Cookie.Cookie(varname, value, path='/', secure=self.is_ssl_request())
if expires is not None:
c.expires = expires
Module: check_mk
Branch: master
Commit: 18c7a774c9cf8764b044458b50e8d62a8ae8ae12
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=18c7a774c9cf87…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 10:49:08 2015 +0200
It was possible to use the view_name variable to inject HTML/Javascript
code into the status GUI views.
Conflicts:
ChangeLog
web/htdocs/htmllib.py
---
.werks/2390 | 11 +++++++++++
ChangeLog | 1 +
web/htdocs/htmllib.py | 2 +-
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/.werks/2390 b/.werks/2390
new file mode 100644
index 0000000..27b905a
--- /dev/null
+++ b/.werks/2390
@@ -0,0 +1,11 @@
+Title: Fixed possible XSS issue on views
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435654030
+
+It was possible to use the view_name variable to inject HTML/Javascript
+code into the status GUI views.
diff --git a/ChangeLog b/ChangeLog
index 7bce667..0255535 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,7 @@
* 2387 SEC: Fixed XSS problem on all pages using confirm dialogs outputting user provided parameters...
* 2388 SEC: Fixed reflected XSS on the index page using the start_url parameter
* 2389 SEC: Fixed XSS using the _body_class parameter of views...
+ * 2390 SEC: Fixed possible XSS issue on views...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index fd3d5b7..1d0b83f 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -1004,7 +1004,7 @@ class html:
'<img class=statusicon src="images/icon_menu.png" title="%s">\n' % _("Add this view to..."),
'add_visual', 'add_visual', data='[\'%s\', %s, {\'name\': \'%s\'}]' %
(mode_name, self.attrencode(repr(encoded_vars)),
- self.var('view_name')))
+ self.attrencode(self.var('view_name'))))
for img, tooltip in self.status_icons.items():
if type(tooltip) == tuple:
Module: check_mk
Branch: master
Commit: d65dda742a9141ca9fa444010730aa31512d0308
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d65dda742a9141…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 10:42:31 2015 +0200
#2389 SEC Fixed XSS using the _body_class parameter of views
It was possible to use the _body_class parameter of the status GUI views
to inject HTML/Javascript code into the pages.
The _body_class parameter, which was only used for internal purposes, has
totally been removed now.
---
.werks/2389 | 14 ++++++++++++++
ChangeLog | 1 +
web/htdocs/htmllib.py | 12 +++++++-----
web/htdocs/views.py | 3 ---
web/plugins/dashboard/dashlets.py | 2 +-
5 files changed, 23 insertions(+), 9 deletions(-)
diff --git a/.werks/2389 b/.werks/2389
new file mode 100644
index 0000000..f3d7ed6
--- /dev/null
+++ b/.werks/2389
@@ -0,0 +1,14 @@
+Title: Fixed XSS using the _body_class parameter of views
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435653652
+
+It was possible to use the _body_class parameter of the status GUI views
+to inject HTML/Javascript code into the pages.
+
+The _body_class parameter, which was only used for internal purposes, has
+totally been removed now.
diff --git a/ChangeLog b/ChangeLog
index ec8b852..7bce667 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -27,6 +27,7 @@
* 2385 SEC: Fixed possible reflected XSS on all GUI pages where users can produce unhandled exceptions...
* 2387 SEC: Fixed XSS problem on all pages using confirm dialogs outputting user provided parameters...
* 2388 SEC: Fixed reflected XSS on the index page using the start_url parameter
+ * 2389 SEC: Fixed XSS using the _body_class parameter of views...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index d6ffbef..fd3d5b7 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -114,6 +114,7 @@ class html:
self.ignore_transids = False
self.current_transid = None
self.page_context = {}
+ self.body_classes = ['main']
# Time measurement
self.times = {}
@@ -865,17 +866,18 @@ class html:
def immediate_browser_redirect(self, secs, url):
self.javascript("set_reload(%s, '%s');" % (secs, url))
- def body_css_classes(self):
- body_classes = [ "main" ]
- if self.var("_body_class"):
- body_classes.append(self.var("_body_class"))
+ def add_body_css_class(self, cls):
+ self.body_classes.append(cls)
+
+ def get_body_css_classes(self):
+ body_classes = self.body_classes
if self.screenshotmode:
body_classes.append("screenshotmode")
return " ".join(body_classes)
def body_start(self, title='', **args):
self.html_head(title, **args)
- self.write('<body class="%s">' % self.body_css_classes())
+ self.write('<body class="%s">' % self.get_body_css_classes())
def header(self, title='', **args):
if self.output_format == "html":
diff --git a/web/htdocs/views.py b/web/htdocs/views.py
index 6181f53..a7e0dfe 100644
--- a/web/htdocs/views.py
+++ b/web/htdocs/views.py
@@ -2301,7 +2301,6 @@ def paint_header(view, p):
# Important for links:
# - Add the display options (Keeping the same display options as current)
# - Link to _self (Always link to the current frame)
- # - Keep the _body_class variable (e.g. for dashlets)
thclass = ''
onclick = ''
title = ''
@@ -2311,8 +2310,6 @@ def paint_header(view, p):
params = [
('sort', sort_url(view, painter, join_index)),
]
- if html.has_var('_body_class'):
- params.append(('_body_class', html.var('_body_class')))
if hasattr(html, 'title_display_options'):
params.append(('display_options', html.title_display_options))
diff --git a/web/plugins/dashboard/dashlets.py b/web/plugins/dashboard/dashlets.py
index ee74711..398f537 100644
--- a/web/plugins/dashboard/dashlets.py
+++ b/web/plugins/dashboard/dashlets.py
@@ -550,7 +550,7 @@ def dashlet_view(nr, dashlet):
html.set_var('display_options', 'HRSIXL')
html.set_var('_display_options', 'HRSIXL')
- html.set_var('_body_class', 'dashlet')
+ html.add_body_css_class('dashlet')
import views # FIXME: HACK, clean this up somehow
views.load_views()