Module: check_mk
Branch: master
Commit: 63eecd7c3f18a285049b9685b74c610b1e960141
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=63eecd7c3f18a2…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jan 24 14:58:24 2018 +0100
5654 SEC Fixed XSS on the site management page
When using the WATO configuration it was possible to create a site on
the distributed monitoring page which uses with javascript code in
it's alias. When this site was later displayed in the site tables, the
javascript code could be executed in the browsers context of the user
viewing the table.
The insertion of the javascript code is only possible for authenticated
users with the permission to configure Check_MK sites.
Change-Id: Iee73cf89af0544fda08f6aaf8884a5c9aab000c5
---
.werks/5654 | 18 ++++++++++++++++++
web/htdocs/wato.py | 24 ++++++++++++------------
2 files changed, 30 insertions(+), 12 deletions(-)
diff --git a/.werks/5654 b/.werks/5654
new file mode 100644
index 0000000..e20ab94
--- /dev/null
+++ b/.werks/5654
@@ -0,0 +1,18 @@
+Title: Fixed XSS on the site management page
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i3
+Date: 1516802216
+
+When using the WATO configuration it was possible to create a site on
+the distributed monitoring page which uses with javascript code in
+it's alias. When this site was later displayed in the site tables, the
+javascript code could be executed in the browsers context of the user
+viewing the table.
+
+The insertion of the javascript code is only possible for authenticated
+users with the permission to configure Check_MK sites.
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 4982c96..cb28caf 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -5619,7 +5619,7 @@ class ModeActivateChanges(WatoMode, watolib.ActivateChanges):
if site_url:
html.icon_button(site_url, _("Open this site's local web user interface"), "url", target="_blank")
- table.cell(_("Site"), site.get("alias", site_id))
+ table.text_cell(_("Site"), site.get("alias", site_id))
# Livestatus
table.cell(_("Status"), css="narrow nobr")
@@ -9865,8 +9865,8 @@ class ModeDistributedMonitoring(ModeSites):
def _page_basic_settings(self, site_id, site):
- table.cell(_("ID"), site_id)
- table.cell(_("Alias"), site.get("alias", ""))
+ table.text_cell(_("ID"), site_id)
+ table.text_cell(_("Alias"), site.get("alias", ""))
def _page_livestatus_settings(self, site_id, site):
@@ -9883,27 +9883,27 @@ class ModeDistributedMonitoring(ModeSites):
# Status host
if site.get("status_host"):
sh_site, sh_host = site["status_host"]
- table.cell(_("Status host"), "%s/%s" % (sh_site, sh_host))
+ table.text_cell(_("Status host"), "%s/%s" % (sh_site, sh_host))
else:
- table.cell(_("Status host"))
+ table.text_cell(_("Status host"))
# Disabled
if site.get("disabled", False) == True:
- table.cell(_("Disabled"), "<b>%s</b>" % _("yes"))
+ table.text_cell(_("Disabled"), "<b>%s</b>" % _("yes"))
else:
- table.cell(_("Disabled"), _("no"))
+ table.text_cell(_("Disabled"), _("no"))
# Timeout
if "timeout" in site:
- table.cell(_("Timeout"), _("%d sec") % int(site["timeout"]), css="number")
+ table.text_cell(_("Timeout"), _("%d sec") % int(site["timeout"]), css="number")
else:
- table.cell(_("Timeout"), "")
+ table.text_cell(_("Timeout"), "")
# Persist
if site.get("persist", False):
- table.cell(_("Pers."), "<b>%s</b>" % _("yes"))
+ table.text_cell(_("Pers."), "<b>%s</b>" % _("yes"))
else:
- table.cell(_("Pers."), _("no"))
+ table.text_cell(_("Pers."), _("no"))
def _page_replication_configuration(self, site_id, site):
@@ -9916,7 +9916,7 @@ class ModeDistributedMonitoring(ModeSites):
repl += ", " + _("MKPs")
else:
repl = ""
- table.cell(_("Replication"), repl)
+ table.text_cell(_("Replication"), repl)
# Login-Button for Replication
table.cell(_("Login"))
Module: check_mk
Branch: master
Commit: 76a934784973429d3a0faf8fd6178df8f556c2b4
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=76a93478497342…
Author: Sven Panne <sp(a)mathias-kettner.de>
Date: Wed Jan 24 13:24:05 2018 +0100
Use pycryptodomex modules instead of pycrypto/pycryptodome ones.
This module name chaos is quite unfortunate, but we are forced to do this
because of a change in (transitive) dependency:
https://github.com/etingof/pysnmp/commit/82e594610
In detail: The current pysnmp version depends on pycryptodomex, but we use
"Crypto.Foo" modules in our code. These are gone with pycryptodomex, so we
3 alternatives:
* Additionally install pycrypto just for our own use: Not very attractive,
because all the functionality is already there, and having 2 different
libraries for basically identical purposes would be a bit obscure.
* Additionally install pycryptodome (without the "x"): This has the old
names, but it doesn't work when pycryptodomex is used, too. A brilliant
library design and versioning strategy... :-P
* Just switch to the new name.
We opt for the last case.
Change-Id: I527897314c476cf4cf5c6060bb19376a127c1475
---
bin/mkbackup | 6 +++---
cmk_base/data_sources/tcp.py | 2 +-
doc/treasures/livedump/livedump-mail-fetch | 6 +++---
web/htdocs/valuespec.py | 2 +-
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/bin/mkbackup b/bin/mkbackup
index c33b562..b761368 100755
--- a/bin/mkbackup
+++ b/bin/mkbackup
@@ -53,9 +53,9 @@ from tarfile import TarFile, ReadError
from hashlib import md5
from OpenSSL import crypto
-from Crypto.Cipher import AES, PKCS1_OAEP
-from Crypto.PublicKey import RSA
-import Crypto.Util.number
+from Cryptodome.Cipher import AES, PKCS1_OAEP
+from Cryptodome.PublicKey import RSA
+import Cryptodome.Util.number
try:
import simplejson as json
diff --git a/cmk_base/data_sources/tcp.py b/cmk_base/data_sources/tcp.py
index 215d58b..5b0d02c 100644
--- a/cmk_base/data_sources/tcp.py
+++ b/cmk_base/data_sources/tcp.py
@@ -146,7 +146,7 @@ class TCPDataSource(CheckMKAgentDataSource):
def _decrypt_package(self, encrypted_pkg, encryption_key):
- from Crypto.Cipher import AES
+ from Cryptodome.Cipher import AES
from hashlib import md5
unpad = lambda s : s[0:-ord(s[-1])]
diff --git a/doc/treasures/livedump/livedump-mail-fetch b/doc/treasures/livedump/livedump-mail-fetch
index d681d38..92ac8a6 100755
--- a/doc/treasures/livedump/livedump-mail-fetch
+++ b/doc/treasures/livedump/livedump-mail-fetch
@@ -33,9 +33,9 @@ encrypt = None
if encrypt:
from base64 import b64decode
- from Crypto import Random
- from Crypto.Hash import MD5
- from Crypto.Cipher import AES
+ from Cryptodome import Random
+ from Cryptodome.Hash import MD5
+ from Cryptodome.Cipher import AES
M = poplib.POP3_SSL(pop_server)
M.user(pop_user)
diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py
index c444209..4bf8b33 100644
--- a/web/htdocs/valuespec.py
+++ b/web/htdocs/valuespec.py
@@ -42,7 +42,7 @@ import socket
import ipaddress
from lib import *
import cmk.defines as defines
-from Crypto.PublicKey import RSA
+from Cryptodome.PublicKey import RSA
try:
import simplejson as json