Module: check_mk
Branch: master
Commit: 74258f5b8d6de9f53b09afc43e88eed6edbc4719
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=74258f5b8d6de9…
Author: Sven Panne <sp(a)mathias-kettner.de>
Date: Fri Nov 3 13:07:48 2017 +0100
Removed superfluous class.
Change-Id: I3e716cccaf7935d4a922a74b4f37f5b877c53da5
---
livestatus/src/Makefile.am | 1 -
livestatus/src/ServiceGroupMembersColumn.cc | 24 ++++++++++++--
livestatus/src/ServiceGroupMembersFilter.cc | 50 -----------------------------
livestatus/src/ServiceGroupMembersFilter.h | 41 -----------------------
4 files changed, 22 insertions(+), 94 deletions(-)
diff --git a/livestatus/src/Makefile.am b/livestatus/src/Makefile.am
index 02f4a58..a4ce651 100644
--- a/livestatus/src/Makefile.am
+++ b/livestatus/src/Makefile.am
@@ -103,7 +103,6 @@ liblivestatus_a_SOURCES = \
RendererPython3.cc \
ServiceContactsColumn.cc \
ServiceGroupMembersColumn.cc \
- ServiceGroupMembersFilter.cc \
ServiceGroupsColumn.cc \
ServiceListColumn.cc \
ServiceListStateColumn.cc \
diff --git a/livestatus/src/ServiceGroupMembersColumn.cc b/livestatus/src/ServiceGroupMembersColumn.cc
index 15c0a2c..e597d61 100644
--- a/livestatus/src/ServiceGroupMembersColumn.cc
+++ b/livestatus/src/ServiceGroupMembersColumn.cc
@@ -25,10 +25,12 @@
#include "ServiceGroupMembersColumn.h"
#include <algorithm>
#include <iterator>
+#include <ostream>
#include "Filter.h"
+#include "ListFilter.h"
+#include "Logger.h"
#include "Renderer.h"
#include "Row.h"
-#include "ServiceGroupMembersFilter.h"
#ifdef CMC
#include "Host.h"
@@ -54,9 +56,27 @@ void ServiceGroupMembersColumn::output(
}
}
+namespace {
+// value must be of the form
+// hostname hostservice_separator service_description
+std::string checkValue(Logger *logger, RelationalOperator relOp,
+ const std::string &value) {
+ auto pos = value.find(ServiceGroupMembersColumn::separator());
+ bool equality = relOp == RelationalOperator::equal ||
+ relOp == RelationalOperator::not_equal;
+ if (pos == std::string::npos && !(equality && value.empty())) {
+ Informational(logger)
+ << "Invalid reference value for service list membership. Must be 'hostname"
+ << ServiceGroupMembersColumn::separator() << "servicename'";
+ }
+ return value;
+}
+} // namespace
+
std::unique_ptr<Filter> ServiceGroupMembersColumn::createFilter(
RelationalOperator relOp, const std::string &value) const {
- return std::make_unique<ServiceGroupMembersFilter>(*this, relOp, value);
+ return std::make_unique<ListFilter>(*this, relOp,
+ checkValue(logger(), relOp, value));
}
std::vector<std::string> ServiceGroupMembersColumn::getValue(
diff --git a/livestatus/src/ServiceGroupMembersFilter.cc b/livestatus/src/ServiceGroupMembersFilter.cc
deleted file mode 100644
index efbe79b..0000000
--- a/livestatus/src/ServiceGroupMembersFilter.cc
+++ /dev/null
@@ -1,50 +0,0 @@
-// +------------------------------------------------------------------+
-// | ____ _ _ __ __ _ __ |
-// | / ___| |__ ___ ___| | __ | \/ | |/ / |
-// | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
-// | | |___| | | | __/ (__| < | | | | . \ |
-// | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
-// | |
-// | Copyright Mathias Kettner 2014 mk(a)mathias-kettner.de |
-// +------------------------------------------------------------------+
-//
-// This file is part of Check_MK.
-// The official homepage is at http://mathias-kettner.de/check_mk.
-//
-// check_mk is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License as published by
-// the Free Software Foundation in version 2. check_mk is distributed
-// in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
-// out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-// PARTICULAR PURPOSE. See the GNU General Public License for more de-
-// tails. You should have received a copy of the GNU General Public
-// License along with GNU Make; see the file COPYING. If not, write
-// to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
-// Boston, MA 02110-1301 USA.
-
-#include "ServiceGroupMembersFilter.h"
-#include <ostream>
-#include "Logger.h"
-#include "ServiceGroupMembersColumn.h"
-
-namespace {
-// value must be of the form
-// hostname hostservice_separator service_description
-std::string checkValue(Logger *logger, RelationalOperator relOp,
- const std::string &value) {
- auto pos = value.find(ServiceGroupMembersColumn::separator());
- bool equality = relOp == RelationalOperator::equal ||
- relOp == RelationalOperator::not_equal;
- if (pos == std::string::npos && !(equality && value.empty())) {
- Informational(logger)
- << "Invalid reference value for service list membership. Must be 'hostname"
- << ServiceGroupMembersColumn::separator() << "servicename'";
- }
- return value;
-}
-} // namespace
-
-ServiceGroupMembersFilter::ServiceGroupMembersFilter(
- const ServiceGroupMembersColumn &column, RelationalOperator relOp,
- const std::string &value)
- : ListFilter(column, relOp, checkValue(column.logger(), relOp, value)) {}
diff --git a/livestatus/src/ServiceGroupMembersFilter.h b/livestatus/src/ServiceGroupMembersFilter.h
deleted file mode 100644
index 2af9acc..0000000
--- a/livestatus/src/ServiceGroupMembersFilter.h
+++ /dev/null
@@ -1,41 +0,0 @@
-// +------------------------------------------------------------------+
-// | ____ _ _ __ __ _ __ |
-// | / ___| |__ ___ ___| | __ | \/ | |/ / |
-// | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
-// | | |___| | | | __/ (__| < | | | | . \ |
-// | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
-// | |
-// | Copyright Mathias Kettner 2014 mk(a)mathias-kettner.de |
-// +------------------------------------------------------------------+
-//
-// This file is part of Check_MK.
-// The official homepage is at http://mathias-kettner.de/check_mk.
-//
-// check_mk is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License as published by
-// the Free Software Foundation in version 2. check_mk is distributed
-// in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
-// out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-// PARTICULAR PURPOSE. See the GNU General Public License for more de-
-// tails. You should have received a copy of the GNU General Public
-// License along with GNU Make; see the file COPYING. If not, write
-// to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
-// Boston, MA 02110-1301 USA.
-
-#ifndef ServiceGroupMembersFilter_h
-#define ServiceGroupMembersFilter_h
-
-#include "config.h" // IWYU pragma: keep
-#include <string>
-#include "ListFilter.h"
-#include "opids.h"
-class ServiceGroupMembersColumn;
-
-class ServiceGroupMembersFilter : public ListFilter {
-public:
- ServiceGroupMembersFilter(const ServiceGroupMembersColumn &column,
- RelationalOperator relOp,
- const std::string &value);
-};
-
-#endif // ServiceGroupMembersFilter_h
Module: check_mk
Branch: master
Commit: 504bd5002b76c3756868df11901a56f0f9b8ac14
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=504bd5002b76c3…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Nov 3 10:34:41 2017 +0100
5431 SEC Fixed possible reflected XSS using custom bookmarks
It was possible to create custom bookmarks by making the user open a
crafted URL. This created a bookmark in the users default bookmark list
which could be used to execute custom javascript code when the user
clicks on the just created link.
For example the user session cookies can be read and reported to the
attackers, who could then hijack the users sessions with the application.
This issue has been fixed by limiting absolute URLs in bookmarks to the
URL schemes <tt>https</tt> and <tt>http</tt>.
Change-Id: I80a47c981970f23dd9737f1c6000cc82799220b1
---
.werks/5431 | 20 ++++++++++++++++++++
web/plugins/sidebar/shipped.py | 11 +++++++++++
2 files changed, 31 insertions(+)
diff --git a/.werks/5431 b/.werks/5431
new file mode 100644
index 0000000..35e29cc
--- /dev/null
+++ b/.werks/5431
@@ -0,0 +1,20 @@
+Title: Fixed possible reflected XSS using custom bookmarks
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1509701263
+
+It was possible to create custom bookmarks by making the user open a
+crafted URL. This created a bookmark in the users default bookmark list
+which could be used to execute custom javascript code when the user
+clicks on the just created link.
+
+For example the user session cookies can be read and reported to the
+attackers, who could then hijack the users sessions with the application.
+
+This issue has been fixed by limiting absolute URLs in bookmarks to the
+URL schemes <tt>https</tt> and <tt>http</tt>.
diff --git a/web/plugins/sidebar/shipped.py b/web/plugins/sidebar/shipped.py
index 03a8467..7903393 100644
--- a/web/plugins/sidebar/shipped.py
+++ b/web/plugins/sidebar/shipped.py
@@ -1495,6 +1495,7 @@ class BookmarkList(pagetypes.Overridable):
title = _("URL"),
size = 50,
allow_empty = False,
+ validate = self.validate_url,
)),
(IconSelector(
title = _("Icon"),
@@ -1527,9 +1528,18 @@ class BookmarkList(pagetypes.Overridable):
return parameters
+ def validate_url(cls, value, varprefix):
+ parsed = urlparse.urlparse(value)
+
+ # Absolute URLs are allowed, but limit it to http/https
+ if parsed.scheme != "" and parsed.scheme not in [ "http", "https" ]:
+ raise MKUserError(varprefix, _("This URL ist not allowed to be used as bookmark"))
+
+
@classmethod
def _load(cls):
cls.load_legacy_bookmarks()
+ self.load_legacy_bookmarks()
@classmethod
@@ -1694,6 +1704,7 @@ def ajax_add_bookmark():
title = html.var("title")
url = html.var("url")
if title and url:
+ BookmarkList.validate_url(url, "url")
add_bookmark(title, url)
render_bookmarks()