Module: check_mk
Branch: master
Commit: 053b7cd7a52c0c482c5bf45f9caabb6e72738716
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=053b7cd7a52c0c…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Oct 11 11:32:42 2013 +0200
WATO: Fixed some input validation problems in snapshot module
* FIX: Fixed some output encoding problem in snapshot restore / deletion code
* FIX: Improved user provided variable validation in snapshot handling code
Conflicts:
web/htdocs/wato.py
---
ChangeLog | 2 ++
web/htdocs/wato.py | 35 ++++++++++++++++++++---------------
2 files changed, 22 insertions(+), 15 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 0a841b6..d5d8e10 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -465,6 +465,8 @@
of a distributed WATO setup
* FIX: avoid Python exception for invalid parameters even in debug mode
* FIX: check_ldap: Removed duplicate "-H" definition
+ * FIX: Fixed some output encoding problem in snapshot restore / deletion code
+ * FIX: Improved user provided variable validation in snapshot handling code
Event Console:
* FIX: apply rewriting of application/hostname also when cancelling events
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 208afaf..14a4dc1 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -5197,19 +5197,23 @@ def mode_snapshot(phase):
make_action_link([("mode",
"snapshot"),("_factory_reset","Yes")]),
"factoryreset")
return
- elif phase == "action":
+ snapshots = []
+ if os.path.exists(snapshot_dir):
+ for f in os.listdir(snapshot_dir):
+ snapshots.append(f)
+ snapshots.sort(reverse=True)
+
+ if phase == "action":
if html.has_var("_download_file"):
download_file = html.var("_download_file")
- if not download_file.startswith('wato-snapshot') and download_file !=
'latest':
- raise MKUserError(None, _("Invalid download file specified."))
# Find the latest snapshot file
if download_file == 'latest':
- snapshots = os.listdir(snapshot_dir)
- snapshots.sort()
if not snapshots:
return False
download_file = snapshots[-1]
+ elif download_file not in snapshots:
+ raise MKUserError(None, _("Invalid download file specified."))
download_path = os.path.join(snapshot_dir, download_file)
if os.path.exists(download_path):
@@ -5238,9 +5242,13 @@ def mode_snapshot(phase):
# delete file
elif html.has_var("_delete_file"):
delete_file = html.var("_delete_file")
+
+ if delete_file not in snapshots:
+ raise MKUserError(None, _("Invalid file specified."))
+
c = wato_confirm(_("Confirm deletion of snapshot"),
_("Are you sure you want to delete the snapshot
<br><br>%s?") %
- delete_file
+ htmllib.attrencode(delete_file)
)
if c:
os.remove(os.path.join(snapshot_dir, delete_file))
@@ -5251,14 +5259,18 @@ def mode_snapshot(phase):
# restore snapshot
elif html.has_var("_restore_snapshot"):
snapshot_file = html.var("_restore_snapshot")
+
+ if snapshot_file not in snapshots:
+ raise MKUserError(None, _("Invalid file specified."))
+
c = wato_confirm(_("Confirm restore snapshot"),
_("Are you sure you want to restore the snapshot
<br><br>%s ?") %
- snapshot_file
+ htmllib.attrencode(snapshot_file)
)
if c:
multitar.extract_from_file(snapshot_dir + snapshot_file, backup_paths)
log_pending(SYNCRESTART, None, "snapshot-restored",
- _("Restored snapshot %s") % snapshot_file)
+ _("Restored snapshot %s") %
htmllib.attrencode(snapshot_file))
return None, _("Successfully restored snapshot.")
elif c == False: # not yet confirmed
return ""
@@ -5278,13 +5290,6 @@ def mode_snapshot(phase):
return None
else:
- snapshots = []
- if os.path.exists(snapshot_dir):
- for f in os.listdir(snapshot_dir):
- snapshots.append(f)
- snapshots.sort(reverse=True)
-
-
table.begin("snapshots", _("Snapshots"),
empty_text=_("There are no snapshots available."))
for name in snapshots:
table.row()