[checkmk-commits] Check_MK Git: check_mk: WATO: Fixed some input validation problems in snapshot module

Module: check_mk Branch: master Commit: 053b7cd7a52c0c482c5bf45f9caabb6e72738716 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=053b7cd7a52c0c… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Fri Oct 11 11:32:42 2013 +0200 WATO: Fixed some input validation problems in snapshot module * FIX: Fixed some output encoding problem in snapshot restore / deletion code * FIX: Improved user provided variable validation in snapshot handling code Conflicts: web/htdocs/wato.py --- ChangeLog | 2 ++ web/htdocs/wato.py | 35 ++++++++++++++++++++--------------- 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0a841b6..d5d8e10 100644 --- a/ChangeLog +++ b/ChangeLog @@ -465,6 +465,8 @@ of a distributed WATO setup * FIX: avoid Python exception for invalid parameters even in debug mode * FIX: check_ldap: Removed duplicate "-H" definition + * FIX: Fixed some output encoding problem in snapshot restore / deletion code + * FIX: Improved user provided variable validation in snapshot handling code Event Console: * FIX: apply rewriting of application/hostname also when cancelling events diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index 208afaf..14a4dc1 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -5197,19 +5197,23 @@ def mode_snapshot(phase): make_action_link([("mode", "snapshot"),("_factory_reset","Yes")]), "factoryreset") return - elif phase == "action": + snapshots = [] + if os.path.exists(snapshot_dir): + for f in os.listdir(snapshot_dir): + snapshots.append(f) + snapshots.sort(reverse=True) + + if phase == "action": if html.has_var("_download_file"): download_file = html.var("_download_file") - if not download_file.startswith('wato-snapshot') and download_file != 'latest': - raise MKUserError(None, _("Invalid download file specified.")) # Find the latest snapshot file if download_file == 'latest': - snapshots = os.listdir(snapshot_dir) - snapshots.sort() if not snapshots: return False download_file = snapshots[-1] + elif download_file not in snapshots: + raise MKUserError(None, _("Invalid download file specified.")) download_path = os.path.join(snapshot_dir, download_file) if os.path.exists(download_path): @@ -5238,9 +5242,13 @@ def mode_snapshot(phase): # delete file elif html.has_var("_delete_file"): delete_file = html.var("_delete_file") + + if delete_file not in snapshots: + raise MKUserError(None, _("Invalid file specified.")) + c = wato_confirm(_("Confirm deletion of snapshot"), _("Are you sure you want to delete the snapshot <br><br>%s?") % - delete_file + htmllib.attrencode(delete_file) ) if c: os.remove(os.path.join(snapshot_dir, delete_file)) @@ -5251,14 +5259,18 @@ def mode_snapshot(phase): # restore snapshot elif html.has_var("_restore_snapshot"): snapshot_file = html.var("_restore_snapshot") + + if snapshot_file not in snapshots: + raise MKUserError(None, _("Invalid file specified.")) + c = wato_confirm(_("Confirm restore snapshot"), _("Are you sure you want to restore the snapshot <br><br>%s ?") % - snapshot_file + htmllib.attrencode(snapshot_file) ) if c: multitar.extract_from_file(snapshot_dir + snapshot_file, backup_paths) log_pending(SYNCRESTART, None, "snapshot-restored", - _("Restored snapshot %s") % snapshot_file) + _("Restored snapshot %s") % htmllib.attrencode(snapshot_file)) return None, _("Successfully restored snapshot.") elif c == False: # not yet confirmed return "" @@ -5278,13 +5290,6 @@ def mode_snapshot(phase): return None else: - snapshots = [] - if os.path.exists(snapshot_dir): - for f in os.listdir(snapshot_dir): - snapshots.append(f) - snapshots.sort(reverse=True) - - table.begin("snapshots", _("Snapshots"), empty_text=_("There are no snapshots available.")) for name in snapshots: table.row()