Module: check_mk
Branch: master
Commit: cafe7e55ea7106ae427eebcc9d545be3da683b31
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=cafe7e55ea7106…
Author: Sebastian Herbord <sh(a)mathias-kettner.de>
Date: Mon Sep 21 10:06:31 2015 +0200
#2627 FIX knuerr_sensors: no longer creates a service for unnamed sensor
The device seems to send readings for unconnected sensor slots. A missing name seems to be the only
indication that no sensor is connected.
---
.werks/2627 | 10 ++++++++++
ChangeLog | 1 +
checks/knuerr_sensors | 3 ++-
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/.werks/2627 b/.werks/2627
new file mode 100644
index 0000000..5834fb7
--- /dev/null
+++ b/.werks/2627
@@ -0,0 +1,10 @@
+Title: knuerr_sensors: no longer creates a service for unnamed sensor
+Level: 1
+Component: checks
+Compatible: compat
+Version: 1.2.7i3
+Date: 1442822660
+Class: fix
+
+The device seems to send readings for unconnected sensor slots. A missing name seems to be the only
+indication that no sensor is connected.
diff --git a/ChangeLog b/ChangeLog
index fe028fa..1f5b67a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -193,6 +193,7 @@
* 2428 FIX: "Clustered services for overlapping cluster": Improved rule matching...
* 2608 FIX: kemp_loadmaster_ha: Fixed wrong discovery on snmp monitored linux systems
* 2609 FIX: mysql_capacity: Can now handle sizes reported being NULL...
+ * 2627 FIX: knuerr_sensors: no longer creates a service for unnamed sensor...
Multisite:
* 2385 SEC: Fixed possible reflected XSS on all GUI pages where users can produce unhandled exceptions...
diff --git a/checks/knuerr_sensors b/checks/knuerr_sensors
index 968fcde..5b2e1db 100644
--- a/checks/knuerr_sensors
+++ b/checks/knuerr_sensors
@@ -26,7 +26,8 @@
def inventory_knuerr_sensors(info):
for sensor, state in info:
- yield sensor, None
+ if sensor:
+ yield sensor, None
def check_knuerr_sensors(item, _no_params, info):
for sensor, state in info:
Module: check_mk
Branch: master
Commit: 328a58cb1b4c4021e9dfd48de057e265a63ae711
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=328a58cb1b4c40…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Sep 18 14:09:49 2015 +0200
#2615 FIX Fixed bug in legacy dashboard conversion when having users not permitted to access embedded views
When you have legacy dashoards (defined via plugin, located below local/share/check_mk/web/plugins/dashboards) defined which include a view where some of your users don't have access to and these
users are the first ones to access the GUI after apache reload/restart, this could result
in exceptions like this for other users: "KeyError: 'datasource'".
---
.werks/2615 | 12 +++++++++++
ChangeLog | 1 +
web/htdocs/dashboard.py | 52 +++++++++++++++++++++++++++++++++--------------
web/htdocs/views.py | 3 +++
4 files changed, 53 insertions(+), 15 deletions(-)
diff --git a/.werks/2615 b/.werks/2615
new file mode 100644
index 0000000..77e199b
--- /dev/null
+++ b/.werks/2615
@@ -0,0 +1,12 @@
+Title: Fixed bug in legacy dashboard conversion when having users not permitted to access embedded views
+Level: 1
+Component: multisite
+Class: fix
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1442578060
+
+When you have legacy dashoards (defined via plugin, located below local/share/check_mk/web/plugins/dashboards) defined which include a view where some of your users don't have access to and these
+users are the first ones to access the GUI after apache reload/restart, this could result
+in exceptions like this for other users: "KeyError: 'datasource'".
diff --git a/ChangeLog b/ChangeLog
index 601b674..ede647a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -239,6 +239,7 @@
* 2597 FIX: Fix settings downtimes on BI aggregates in distributed environment...
* 2598 FIX: Remove button for removing downtimes an BI aggregates because it cannot work...
* 2607 FIX: Fixed broken links from BI views to aggregation group views
+ * 2615 FIX: Fixed bug in legacy dashboard conversion when having users not permitted to access embedded views...
WATO:
* 2365 Removed old deprecated notification global options for plain emails...
diff --git a/web/htdocs/dashboard.py b/web/htdocs/dashboard.py
index e85bd67..e37b121 100644
--- a/web/htdocs/dashboard.py
+++ b/web/htdocs/dashboard.py
@@ -180,7 +180,7 @@ def transform_builtin_dashboards():
view_name = dashlet['view'].split('&')[0]
# Copy the view definition into the dashlet
- load_view_into_dashlet(dashlet, nr, view_name)
+ load_view_into_dashlet(dashlet, nr, view_name, load_from_all_views=True)
del dashlet['view']
else:
@@ -206,21 +206,44 @@ def transform_builtin_dashboards():
dashboard.setdefault('description', dashboard.get('title', ''))
builtin_dashboards_transformed = True
-def load_view_into_dashlet(dashlet, nr, view_name, add_context=None):
+def load_view_into_dashlet(dashlet, nr, view_name, add_context=None, load_from_all_views=False):
import views
views.load_views()
- views = views.permitted_views()
- if view_name in views:
- view = copy.deepcopy(views[view_name])
- dashlet.update(view)
- if add_context:
- dashlet['context'].update(add_context)
-
- # Overwrite the views default title with the context specific title
- dashlet['title'] = visuals.visual_title('view', view)
- dashlet['title_url'] = html.makeuri_contextless(
- [('view_name', view_name)] + visuals.get_singlecontext_vars(view).items(),
- filename='view.py')
+
+ permitted_views = views.permitted_views()
+
+ # it is random which user is first accessing
+ # an apache python process, initializing the dashboard loading and conversion of
+ # old dashboards. In case of the conversion we really try hard to make the conversion
+ # work in all cases. So we need all views instead of the views of the user.
+ if load_from_all_views and view_name not in permitted_views:
+ # This is not really 100% correct according to the logic of visuals.available(),
+ # but we do this for the rare edge case during legacy dashboard conversion, so
+ # this should be sufficient
+ view = None
+ for (u, n), this_view in views.all_views().items():
+ # take the first view with a matching name
+ if view_name == n:
+ view = this_view
+ break
+
+ if not view:
+ raise MKGeneralException(_("Failed to convert a builtin dashboard which is referencing "
+ "the view \"%s\". You will have to migrate it to the new "
+ "dashboard format on your own to work properly." % view_name))
+ else:
+ view = permitted_views[view_name]
+
+ view = copy.deepcopy(view) # Clone the view
+ dashlet.update(view)
+ if add_context:
+ dashlet['context'].update(add_context)
+
+ # Overwrite the views default title with the context specific title
+ dashlet['title'] = visuals.visual_title('view', view)
+ dashlet['title_url'] = html.makeuri_contextless(
+ [('view_name', view_name)] + visuals.get_singlecontext_vars(view).items(),
+ filename='view.py')
dashlet['type'] = 'view'
dashlet['name'] = 'dashlet_%d' % nr
@@ -681,7 +704,6 @@ def ajax_dashlet():
if the_dashlet['type'] not in dashlet_types:
raise MKGeneralException(_('The requested dashlet type does not exist.'))
-
render_dashlet_content(ident, the_dashlet, stash_html_vars=False)
#.
diff --git a/web/htdocs/views.py b/web/htdocs/views.py
index 360ab29..284c85c 100644
--- a/web/htdocs/views.py
+++ b/web/htdocs/views.py
@@ -101,6 +101,9 @@ def permitted_views():
load_views()
return available_views
+def all_views():
+ return multisite_views
+
# Convert views that are saved in the pre 1.2.6-style
# FIXME: Can be removed one day. Mark as incompatible change or similar.
def transform_old_views():
Module: check_mk
Branch: master
Commit: f82654d2a7d13c813df84cdf5d093342f239f27c
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f82654d2a7d13c…
Author: Sebastian Herbord <sh(a)mathias-kettner.de>
Date: Fri Sep 18 13:26:08 2015 +0200
#2626 ps check configurable to list state of individual processes in long output
The configuration parameter is called "Enable per-process details in long-output" and it can be set
to either text or HTML output. HTML output works only if html escaping has been disabled in global
settings which may be a potential security problem.
---
.werks/2626 | 11 ++++
ChangeLog | 1 +
checks/ps.include | 94 ++++++++++++++++++++++++++++++++--
web/plugins/wato/check_parameters.py | 18 ++++++-
4 files changed, 118 insertions(+), 6 deletions(-)
Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=f82654d2a7…
Module: check_mk
Branch: master
Commit: 380b27b93ce721f1ab561b143f23cc560ab7caaa
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=380b27b93ce721…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Sep 18 10:31:39 2015 +0200
#2613 SEC Additional fix for refleced XSS on index page using start_url
The issue has already been addressed in werk #2388, but was not really
fixing the problem for all cases.
---
.werks/2613 | 11 +++++++++++
ChangeLog | 1 +
web/htdocs/main.py | 2 +-
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/.werks/2613 b/.werks/2613
new file mode 100644
index 0000000..2ae4414
--- /dev/null
+++ b/.werks/2613
@@ -0,0 +1,11 @@
+Title: Additional fix for refleced XSS on index page using start_url
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1442565029
+
+The issue has already been addressed in werk #2388, but was not really
+fixing the problem for all cases.
diff --git a/ChangeLog b/ChangeLog
index d439275..92b5031 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -209,6 +209,7 @@
* 2491 Allow clickable URLs in comments and downtime texts...
* 2512 Custom Icons/Actions: URLs target frames can now be configured...
* 2612 SEC: Fixed possible XSS on service detail page using the long service output...
+ * 2613 SEC: Additional fix for refleced XSS on index page using start_url...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/main.py b/web/htdocs/main.py
index 2ce6dd8..8133673 100644
--- a/web/htdocs/main.py
+++ b/web/htdocs/main.py
@@ -36,7 +36,7 @@ def page_index():
start_url = default_start_url
# Also prevent using of "javascript:" URLs which could used to inject code
- if start_url.startswith('javascript:'):
+ if start_url.lower().startswith('javascript:'):
start_url = default_start_url
if "%s" in config.page_heading:
Module: check_mk
Branch: master
Commit: 673f0addeeb867f3c620d0bcbc1d43ac14783492
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=673f0addeeb867…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Sep 18 10:08:10 2015 +0200
#2612 SEC Fixed possible XSS on service detail page using the long service output
Normaly all check results displayed in the GUI are HTML escaped by default.
The escaping was missing for the long service output of the service detail
page. So one could create multi line check results containing HTML/Javascript
code which would be executed when a user opens the service detail page of
the service with the check result containing the injected code.
The issue has been fixed by escaping the long output exactly like the normal
plugin output. One difference is left: newline characters are replaced by
HTML newlines to make displaying of multiple lines still possible.
If you want the old behaviour back, you can disable the plugin output escaping
using the global settings. But please note that an attacker might be able to
inject javascript code.
---
.werks/2612 | 23 +++++++++++++++++++++++
ChangeLog | 1 +
web/plugins/views/painters.py | 2 +-
3 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/.werks/2612 b/.werks/2612
new file mode 100644
index 0000000..bc65f16
--- /dev/null
+++ b/.werks/2612
@@ -0,0 +1,23 @@
+Title: Fixed possible XSS on service detail page using the long service output
+Level: 2
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1442563370
+
+Normaly all check results displayed in the GUI are HTML escaped by default.
+The escaping was missing for the long service output of the service detail
+page. So one could create multi line check results containing HTML/Javascript
+code which would be executed when a user opens the service detail page of
+the service with the check result containing the injected code.
+
+The issue has been fixed by escaping the long output exactly like the normal
+plugin output. One difference is left: newline characters are replaced by
+HTML newlines to make displaying of multiple lines still possible.
+
+If you want the old behaviour back, you can disable the plugin output escaping
+using the global settings. But please note that an attacker might be able to
+inject javascript code.
+
diff --git a/ChangeLog b/ChangeLog
index 759efe1..d439275 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -208,6 +208,7 @@
* 2501 Implemented new crash report handling...
* 2491 Allow clickable URLs in comments and downtime texts...
* 2512 Custom Icons/Actions: URLs target frames can now be configured...
+ * 2612 SEC: Fixed possible XSS on service detail page using the long service output...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/plugins/views/painters.py b/web/plugins/views/painters.py
index fd085cf..f72e398 100644
--- a/web/plugins/views/painters.py
+++ b/web/plugins/views/painters.py
@@ -517,7 +517,7 @@ multisite_painters["svc_long_plugin_output"] = {
"title" : _("Long output of check plugin (multiline)"),
"short" : _("Status detail"),
"columns" : ["service_long_plugin_output"],
- "paint" : lambda row: paint_stalified(row, row["service_long_plugin_output"].replace('\\n', '<br>').replace('\n', '<br>')),
+ "paint" : lambda row: paint_stalified(row, format_plugin_output(row["service_long_plugin_output"], row).replace('\\n', '<br>').replace('\n', '<br>')),
}
multisite_painters["svc_perf_data"] = {
"title" : _("Service performance data"),