Module: check_mk
Branch: master
Commit: 1e74b062ad331e4f075c1d664b0522dbd1c33bcb
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=1e74b062ad331e…
Author: Jukka Aro <ja(a)mathias-kettner.de>
Date: Thu Jan 11 15:03:59 2018 +0100
Windows agent: fix make target 'setversion'
Due to the peculiarities in the way we set the version number and the
mixture of manual make + autotools projects, the version number of the
Windows agent must be set in the manual Makefile in the agents
directory.
Change-Id: Ib97c503a0d8760a2b66fc4b13f88b939f1264f6b
---
agents/Makefile | 4 ++++
agents/windows/Makefile.am | 6 ------
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/agents/Makefile b/agents/Makefile
index 5a5aac3..d8f75a7 100644
--- a/agents/Makefile
+++ b/agents/Makefile
@@ -61,6 +61,10 @@ setversion:
sed -i 's/echo Version: [0-9.a-z-]*/'"echo Version: $(NEW_VERSION)/g" $$agent; \
fi ; \
done
+ package="Check_MK Windows Agent" ; \
+ mail=feedback(a)check-mk.org ; \
+ sed -i "s/^AC_INIT.*/AC_INIT([$$package], [$(NEW_VERSION)], [$$mail])/" \
+ windows/configure.ac
build:
$(MAKE) packages
diff --git a/agents/windows/Makefile.am b/agents/windows/Makefile.am
index 19386e4..c3b27ab 100644
--- a/agents/windows/Makefile.am
+++ b/agents/windows/Makefile.am
@@ -116,9 +116,3 @@ CLEANFILES = \
$(addprefix $(bindir)/,$(bin_PROGRAMS)) \
$(patsubst %$(EXEEXT),%-64$(EXEEXT),$(addprefix $(bindir)/,$(bin_PROGRAMS))) \
$(patsubst %$(EXEEXT),%.msi,$(addprefix $(bindir)/,$(bin_PROGRAMS)))
-
-setversion:
- package="Check_MK Windows Agent" ; \
- mail=feedback(a)check-mk.org ; \
- sed -i "s/^AC_INIT.*/AC_INIT([$$package], [$(NEW_VERSION)], [$$mail])/" \
- $(VPATH)/configure.ac
Module: check_mk
Branch: master
Commit: 42085da1826499c86de1c424284c6f25f974d5ff
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=42085da1826499…
Author: Jukka Aro <ja(a)mathias-kettner.de>
Date: Thu Jan 11 08:15:27 2018 +0100
Make windows eventlog tests less sensitive
Introduce a tolerance of 10 when verifying the expected eventstate.txt.
Use this tolerance when verifying non-essential event logs (others than
used for actual testing) as some system-dependent log entries may appear
there sporadically in a race condition as we cannot easily turn reading
both the eventlog and eventstate.txt into an atomic operation. When
verifying the Application log actually used for testing, allow no
tolerance (that is, use tolerance = 0). Even if not 100% secure, race
conditions are far less probable in Application log.
Change-Id: I27866c6554ebfebbfbb7b3de3fdfc936b414c59c
---
agents/windows/it/test_section_eventlog.py | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/agents/windows/it/test_section_eventlog.py b/agents/windows/it/test_section_eventlog.py
index 01af8c1..c7c02b1 100644
--- a/agents/windows/it/test_section_eventlog.py
+++ b/agents/windows/it/test_section_eventlog.py
@@ -1,5 +1,6 @@
import contextlib
from itertools import chain, repeat
+import math
import os
import platform
import re
@@ -23,6 +24,7 @@ testlog = 'Application'
testsource = 'Test source'
testeventtype = 'Warning'
testdescription = 'Something might happen!'
+tolerance = 10
testids = range(1, 3)
@@ -171,9 +173,12 @@ def verify_eventstate():
sorted(expected_eventstate.items()),
sorted(actual_eventstate.items())):
assert expected_log == actual_log
- assert expected_state == actual_state, (
- "expected state for log '%s' is %d, actual state %d" %
- (expected_log, expected_state, actual_state))
+ state_tolerance = 0 if expected_log == testlog else tolerance
+ assert math.fabs(
+ expected_state - actual_state) <= state_tolerance, (
+ "expected state for log '%s' is %d, actual state %d, "
+ "state_tolerance %d" % (expected_log, expected_state,
+ actual_state, state_tolerance))
@pytest.mark.usefixtures("no_statefile")
Module: check_mk
Branch: master
Commit: 4de133ace84152390d5bba18e7997ebdfa5c7c8a
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4de133ace84152…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jan 10 16:20:10 2018 +0100
5632 SEC Fixed XSS when rendering values of dropdown choices
When using the WATO configuration it was possible to create e.g.
a service level definition with javascript code in it's alias. When
this definition was configured in a rule of the ruleset
"Service Level of Hosts", the javascript code could be executed in the
browsers context of the user viewing the rule.
The insertion of the javascript code is only possible for authenticated
users with the permission to configure Check_MK.
Change-Id: I968949787a22c30b63bcf3f4cf18a9a921d40770
---
.werks/5632 | 18 ++++++++++++++++++
web/htdocs/valuespec.py | 4 ++--
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/.werks/5632 b/.werks/5632
new file mode 100644
index 0000000..e1d57c8
--- /dev/null
+++ b/.werks/5632
@@ -0,0 +1,18 @@
+Title: Fixed XSS when rendering values of dropdown choices
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i3
+Date: 1515597400
+
+When using the WATO configuration it was possible to create e.g.
+a service level definition with javascript code in it's alias. When
+this definition was configured in a rule of the ruleset
+"Service Level of Hosts", the javascript code could be executed in the
+browsers context of the user viewing the rule.
+
+The insertion of the javascript code is only possible for authenticated
+users with the permission to configure Check_MK.
diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py
index 63f91c3..c444209 100644
--- a/web/htdocs/valuespec.py
+++ b/web/htdocs/valuespec.py
@@ -1619,9 +1619,9 @@ class DropdownChoice(ValueSpec):
val, title = entry[:2]
if value == val:
if self._help_separator:
- return title.split(self._help_separator, 1)[0].strip()
+ return html.attrencode(title.split(self._help_separator, 1)[0].strip())
else:
- return title
+ return html.attrencode(title)
return html.attrencode(self._get_invalid_choice_title(value))