Module: check_mk
Branch: master
Commit: b585e03dd7042a77d9dc641c4833ce45b776d5e4
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=b585e03dd7042a…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Nov 12 15:38:13 2014 +0100
#1500 SEC Preventing livestatus injections in different places
In some places strings provided by the users, e.g. by filling values into a form,
are used to construct livestatus queries. This is, for example, done when filtering
views or executing commands.
Previous versions were directly using the strings provided by the user without
escaping or filtering characters which could lead into some trouble. This has
been fixed now. The strings provided by the user are now filtered before using
them in livestatus queries.
For the moment the only implemented action is to remove all newline (\n) characters
from the values to prevent injections of non intended livestatus queries / commands.
---
.werks/1500 | 17 +++++++++++++++++
ChangeLog | 1 +
web/htdocs/actions.py | 8 ++++----
web/htdocs/lib.py | 9 +++++++++
web/htdocs/logwatch.py | 2 +-
web/htdocs/prediction.py | 2 +-
web/plugins/sidebar/search.py | 10 +++++-----
web/plugins/views/commands.py | 13 +++++--------
web/plugins/visuals/filters.py | 24 ++++++++++++------------
9 files changed, 55 insertions(+), 31 deletions(-)
Diff:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=b585e03dd7…