[checkmk-commits] [tribe29/checkmk] 4ea2da: Use central regex compilation and crentralize host...

Branch: refs/heads/1.6.0 Home: https://github.com/tribe29/checkmk Commit: 4ea2dab71a0a71d2a1cd093d4caed526bed62cb6 https://github.com/tribe29/checkmk/commit/4ea2dab71a0a71d2a1cd093d4caed526b… Author: Lars Michelsen &lt;lm(a)tribe29.com&gt; Date: 2020-08-17 (Mon, 17 Aug 2020) Changed paths: M cmk/gui/valuespec.py M cmk/utils/regex.py Log Message: ----------- Use central regex compilation and crentralize host regex Change-Id: Idafd284d851830978ad83477ca9ddc5aa610fa80 Commit: 3f68113adbb598b31523f23409539ae0ee63c2a6 https://github.com/tribe29/checkmk/commit/3f68113adbb598b31523f23409539ae0e… Author: Lars Michelsen &lt;lm(a)tribe29.com&gt; Date: 2020-08-17 (Mon, 17 Aug 2020) Changed paths: A .werks/11263 M cmk_base/data_sources/abstract.py Log Message: ----------- 11263 SEC Fix piggyback path traversal In previous versions it was possible to create files in the querying Checkmk site by modifying or extending an agent on a monitored system. So an attacker who gained rights on a monitored system to extend the agent could create and modify files in the monitoring Checkmk site with certain modifications of the agent. The creation or modification of files in the Checkmk site was done with rights of the Checkmk site user. This problem is now solved by a better validation of hostnames of piggybacked hosts. With this change only these characters are allowed in Piggybacked hostnames: <tt>0-9a-zA-Z_.-</tt>. These are exactly the same characters that Checkmk normally allows when creating hostnames. A special feature of Piggyback hostnames is that all illegal hostnames are replaced by "_". This change means that Piggyback hosts created with now invalid characters will have to be created differently after this change so that they can continue to be monitored. Change-Id: I36e37d8eb15ccb0b92792eac84eefc56efd52d96 Compare: https://github.com/tribe29/checkmk/compare/2f5012e5401a...3f68113adbb5