Module: check_mk
Branch: master
Commit: 5416397199adf777de261cdaa8880138b83e1706
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=5416397199adf7…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Nov 12 14:15:08 2014 +0100
SEC: Replaced insecure auth.secret mechanism
---
.werks/1069 | 25 +++++++++++++++++++++++++
ChangeLog | 2 ++
web/htdocs/lib.py | 14 ++++++++++++++
web/htdocs/login.py | 12 ++++++++----
web/htdocs/wato.py | 12 +-----------
5 files changed, 50 insertions(+), 15 deletions(-)
diff --git a/.werks/1069 b/.werks/1069
new file mode 100644
index 0000000..86467f7
--- /dev/null
+++ b/.werks/1069
@@ -0,0 +1,25 @@
+Title: Replaced insecure auth.secret mechanism
+Level: 2
+Component: multisite
+Compatible: incomp
+Version: 1.2.5i7
+Date: 1415797737
+Class: security
+
+We replaced a insecure mechanism of generating the auth.secret which
+is used during construction of the authentication cookies when a user
+logs into the Check_MK Web GUI to make the authentication cookie only
+valid for an individual site or a group of sites connected in a
+distributed setup.
+
+What you have to know about:
+
+When the first user accesses the Web GUI after the update to this version,
+all currently valid auth cookies of all users will be invalidated. As a
+result all users will need to login again.
+
+In distributed setups you will also need to do a replication from the
+master site (which generated a new secret) to all slave sites (which
+generated another secret themselfs). The replication will synchronize
+the new secret of the master to all slaves which should make the
+transparent authentication between all sites work again.
diff --git a/ChangeLog b/ChangeLog
index 9cf93bd..9cf34d9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,8 @@
* 1493 Added config option "Default filter group" to set the initial network topology view filter...
* 1497 Implemented password policy capabilities for local users...
* 1499 SEC: Fixed XSS injections in different places...
+ * 1069 SEC: Replaced insecure auth.secret mechanism...
+ NOTE: Please refer to the migration notes!
* 1164 FIX: Fixed links from servicegroup overviews to single servicegroups
* 1166 FIX: Also prevting stylesheet update issues during version updates (just like for JS files)
* 1481 FIX: Fix broken layout of Host-, Service- and Contactgroup filters
diff --git a/web/htdocs/lib.py b/web/htdocs/lib.py
index 3477ca1..64bde40 100644
--- a/web/htdocs/lib.py
+++ b/web/htdocs/lib.py
@@ -133,6 +133,20 @@ except:
a.sort()
return a
+# We should use /dev/random here for cryptographic safety. But
+# that involves the great problem that the system might hang
+# because of loss of entropy. So we hope /dev/urandom is enough.
+# Furthermore we filter out non-printable characters. The byte
+# 0x00 for example does not make it through HTTP and the URL.
+def get_random_string(size):
+ secret = ""
+ urandom = file("/dev/urandom")
+ while len(secret) < size:
+ c = urandom.read(1)
+ if ord(c) >= 48 and ord(c) <= 90:
+ secret += c
+ return secret
+
# Generates a unique id
def gen_id():
try:
diff --git a/web/htdocs/login.py b/web/htdocs/login.py
index e7007e8..13a81bf 100644
--- a/web/htdocs/login.py
+++ b/web/htdocs/login.py
@@ -50,7 +50,6 @@ def site_cookie_name(site_id = None):
# Reads the auth secret from a file. Creates the files if it does
# not exist. Having access to the secret means that one can issue valid
# cookies for the cookie auth.
-# FIXME: Secret auch replizieren
def load_secret():
secret_path = '%s/auth.secret' % os.path.dirname(defaults.htpasswd_file)
secret = ''
@@ -58,9 +57,14 @@ def load_secret():
secret = file(secret_path).read().strip()
# Create new secret when this installation has no secret
- if secret == '':
- secret = md5(str(time.time())).hexdigest()
- file(secret_path, 'w').write(secret + "\n")
+ #
+ # In past versions we used another bad approach to generate a secret. This
+ # checks for such secrets and creates a new one. This will invalidate all
+ # current auth cookies which means that all logged in users will need to
+ # renew their login after update.
+ if secret == '' or len(secret) == 32:
+ secret = get_random_string(256)
+ file(secret_path, 'w').write(secret)
return secret
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 08fcac2..aef5840 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -11029,17 +11029,7 @@ def get_login_secret(create_on_demand = False):
except:
if not create_on_demand:
return None
- # We should use /dev/random here for cryptographic safety. But
- # that involves the great problem that the system might hang
- # because of loss of entropy. So we hope /dev/urandom is enough.
- # Furthermore we filter out non-printable characters. The byte
- # 0x00 for example does not make it through HTTP and the URL.
- secret = ""
- urandom = file("/dev/urandom")
- while len(secret) < 32:
- c = urandom.read(1)
- if ord(c) >= 48 and ord(c) <= 90:
- secret += c
+ secret = get_random_string(32)
write_settings_file(path, secret)
return secret
Module: check_mk
Branch: master
Commit: b585e03dd7042a77d9dc641c4833ce45b776d5e4
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=b585e03dd7042a…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Nov 12 15:38:13 2014 +0100
#1500 SEC Preventing livestatus injections in different places
In some places strings provided by the users, e.g. by filling values into a form,
are used to construct livestatus queries. This is, for example, done when filtering
views or executing commands.
Previous versions were directly using the strings provided by the user without
escaping or filtering characters which could lead into some trouble. This has
been fixed now. The strings provided by the user are now filtered before using
them in livestatus queries.
For the moment the only implemented action is to remove all newline (\n) characters
from the values to prevent injections of non intended livestatus queries / commands.
---
.werks/1500 | 17 +++++++++++++++++
ChangeLog | 1 +
web/htdocs/actions.py | 8 ++++----
web/htdocs/lib.py | 9 +++++++++
web/htdocs/logwatch.py | 2 +-
web/htdocs/prediction.py | 2 +-
web/plugins/sidebar/search.py | 10 +++++-----
web/plugins/views/commands.py | 13 +++++--------
web/plugins/visuals/filters.py | 24 ++++++++++++------------
9 files changed, 55 insertions(+), 31 deletions(-)
Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=b585e03dd7…
Module: check_mk
Branch: master
Commit: 75336537a3a119898aebc055347133e0ed2d27e4
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=75336537a3a119…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Nov 12 11:56:46 2014 +0100
#1498 FIX Fixed displaying of global settings titles / help texts
Some titles were not displayed correctly or the help texts were
missing. This is fixed now.
---
.werks/1498 | 11 +++++++++++
ChangeLog | 1 +
web/htdocs/wato.py | 2 +-
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/.werks/1498 b/.werks/1498
new file mode 100644
index 0000000..01cc8a9
--- /dev/null
+++ b/.werks/1498
@@ -0,0 +1,11 @@
+Title: Fixed displaying of global settings titles / help texts
+Level: 1
+Component: wato
+Class: fix
+Compatible: compat
+State: unknown
+Version: 1.2.5i7
+Date: 1415789769
+
+Some titles were not displayed correctly or the help texts were
+missing. This is fixed now.
diff --git a/ChangeLog b/ChangeLog
index 4e23505..d92276f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -50,6 +50,7 @@
* 1490 FIX: Timperiod excludes can now even be configured when creating a timeperiod...
* 1491 FIX: Fixed bug in dynamic lists where removing an item was not always possible...
* 1492 FIX: Fixed too long URL bug when deleting a timeperiod right after creating one
+ * 1498 FIX: Fixed displaying of global settings titles / help texts...
Notifications:
* 1168 FIX: HTML mails can now be configured to display graphs among each other...
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 3af6b8b..08fcac2 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -7396,7 +7396,7 @@ def render_global_configuration_variables(default_values, current_settings, show
help_text = type(valuespec.help()) == unicode and valuespec.help().encode("utf-8") or valuespec.help() or ''
title_text = type(valuespec.title()) == unicode and valuespec.title().encode("utf-8") or valuespec.title()
title = '<a href="%s" class=%s title="%s">%s</a>' % \
- (edit_url, varname in current_settings and "modified" or "",
+ (edit_url, varname in current_settings and '"modified"' or '""',
html.strip_tags(help_text), title_text)
if varname in current_settings:
Module: check_mk
Branch: master
Commit: 214a650973143c11a61607e5bf307e6575fc152f
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=214a650973143c…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Wed Nov 12 10:04:08 2014 +0100
Allow hostname to be True in rule executor
---
modules/check_mk.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/modules/check_mk.py b/modules/check_mk.py
index 51916c0..f37deaf 100755
--- a/modules/check_mk.py
+++ b/modules/check_mk.py
@@ -1674,6 +1674,8 @@ def host_extra_conf(hostname, conf):
else:
raise MKGeneralException("Invalid entry '%r' in host configuration list: must have 2 or 3 entries" % (entry,))
+ # Note: hostname may be True. This is an unknown generic host, that has
+ # no tags and that does not match any positive criteria in any rule.
if hosttags_match_taglist(tags_of_host(hostname), tags) and \
in_extraconf_hostlist(hostlist, hostname):
items.append(item)
@@ -1887,8 +1889,8 @@ def in_extraconf_hostlist(hostlist, hostname):
try:
if not use_regex and hostname == hostentry:
return not negate
- # Handle Regex
- elif use_regex and regex(hostentry).match(hostname):
+ # Handle Regex. Note: hostname == True -> generic unknown host
+ elif use_regex and hostname != True and regex(hostentry).match(hostname):
return not negate
except MKGeneralException:
if opt_debug:
Module: check_mk
Branch: master
Commit: 8558bc7b666011ad0f6793453ed2ed076b049edb
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=8558bc7b666011…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Nov 11 16:14:49 2014 +0100
#1497 Implemented password policy capabilities for local users
Passwords of local (htpasswd) users can now be enforced to be changed.
Existing user sessions will be invalidated, the user will be logged off,
needs to login again and change his password afterwards. This can be
set in the user profile.
A password policy can now be configured for globally all local users
which can enforce the users to choose passwords of a minimal length
which are using at least X character groups.
It is also possible to define a maximum age for passwords, after which
the user needs to change the password.
---
.werks/1497 | 19 +++
ChangeLog | 1 +
web/htdocs/index.py | 4 +-
web/htdocs/login.py | 30 ++--
web/htdocs/userdb.py | 52 +++++--
web/htdocs/wato.py | 203 +++++++++++++++++++---------
web/plugins/config/builtin.py | 1 +
web/plugins/pages/wato.py | 1 +
web/plugins/wato/check_mk_configuration.py | 32 +++++
9 files changed, 250 insertions(+), 93 deletions(-)
Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=8558bc7b66…
Module: check_mk
Branch: master
Commit: 6ee5eaaed50494d6036b4ca8cca7d0af0c4ec031
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=6ee5eaaed50494…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Tue Nov 11 14:09:28 2014 +0100
Updated bug entries #2223
---
.bugs/2223 | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/.bugs/2223 b/.bugs/2223
new file mode 100644
index 0000000..0efcc53
--- /dev/null
+++ b/.bugs/2223
@@ -0,0 +1,10 @@
+Title: SNMPv3 garbles cmk -D and also WATO dialog
+Component: core
+State: open
+Date: 2014-11-11 14:08:30
+Targetversion: 1.2.5i1
+Class: nastiness
+
+Hosts with SNMPv3 are not properly displayed in cmk -D. Also
+in the WATO host dialog the str(...) of the 4/6-tuple of the
+v3 settings is being displayed as a string.