Module: check_mk
Branch: master
Commit: be1e994000b4b980045e8dc379631130278ecb2b
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=be1e994000b4b9…
Author: Konstantin Büttner <kb(a)mathias-kettner.de>
Date: Fri Oct 28 13:53:20 2016 +0200
Edit description of Werk 3743
---
.werks/3743 | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/.werks/3743 b/.werks/3743
index aa07db4..230be49 100644
--- a/.werks/3743
+++ b/.werks/3743
@@ -1,4 +1,4 @@
-Title: mk_jolokia: Use JSON library to parse JSON output in lieu of eval()
+Title: mk_jolokia: Fix possible code injection
Level: 1
Component: checks
Class: security
@@ -7,6 +7,18 @@ State: unknown
Version: 1.4.0i1
Date: 1472111893
-Previously, the mk_jolokia agent plugin would try to parse the JSON data
-returned from jolokia with eval(). Now, the simplejson or json python
-libraries are a prerequisite for the plugin to work.
+The plugin now requires either the json or simplejson python library to work.
+
+Python 2.6 or higher ships with json, in this case, the plugin will work just
+as before.
+
+simplejson is available for Python 2.5 and higher, installation of this package
+is required for the plugin to work.
+
+Older python versions are not supported, please query your Jolokia instances
+from another host in these cases (recommended) or continue to use the old version
+of the plugin. (not recommended)
+
+In absence of the json or simplejson python libraries, the mk_jolokia plugin
+would previously try to parse the Jolokia response with python eval(), allowing
+a MITM attacker to inject arbitrary code.
Module: check_mk
Branch: master
Commit: 62a8d4e26ded48d0a8b7de16306bc1555c205a3c
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=62a8d4e26ded48…
Author: Roland Halbig <rh(a)mathias-kettner.de>
Date: Fri Oct 28 12:15:56 2016 +0200
Fixed views/painters.py so that it works with new HTML class.
---
web/plugins/views/painters.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/web/plugins/views/painters.py b/web/plugins/views/painters.py
index 0bd6d82..91b01a9 100644
--- a/web/plugins/views/painters.py
+++ b/web/plugins/views/painters.py
@@ -295,10 +295,14 @@ def process_multisite_icons(what, row, tags, custom_vars, toplevel):
raise
result = ("alert", "%s" % e)
- if result == None:
+ if result is None:
continue
- elif type(result) in [str,unicode]:
+ elif type(result) in [str, unicode, HTML]:
+
+ if isinstance(result, HTML):
+ result = str(result)
+
# TODO: This is handling the deprecated API with 1.2.7. Remove this one day.
if result[0] == '<':
# seems like an old format icon (html code). In regular rendering