Module: check_mk
Branch: master
Commit: 9bfa7c465196b54659d760aef35b06280e2184c6
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9bfa7c465196b5…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Sep 17 13:55:00 2018 +0200
6619 SEC Fixed missing CSRF protection for master control AJAX calls
The AJAX calls used by the master control snapin were not correctly using
CSRF tokens to protect logged in users against malicious links that could
trigger actions.
CMK-963
Change-Id: Ib13033f472728f00041038c80eac1b43d785bb43
---
.werks/6619 | 14 ++++++++++++++
cmk/gui/plugins/sidebar/master_control.py | 11 +++++++++--
2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/.werks/6619 b/.werks/6619
new file mode 100644
index 0000000..2dd1482
--- /dev/null
+++ b/.werks/6619
@@ -0,0 +1,14 @@
+Title: Fixed missing CSRF protection for master control AJAX calls
+Level: 1
+Component: multisite
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1537185238
+Class: security
+
+The AJAX calls used by the master control snapin were not correctly using
+CSRF tokens to protect logged in users against malicious links that could
+trigger actions.
+
+CMK-963
diff --git a/cmk/gui/plugins/sidebar/master_control.py
b/cmk/gui/plugins/sidebar/master_control.py
index 319c573..bc6bc35 100644
--- a/cmk/gui/plugins/sidebar/master_control.py
+++ b/cmk/gui/plugins/sidebar/master_control.py
@@ -105,7 +105,11 @@ class MasterControlSnapin(SidebarSnapin):
continue
colvalue = site_info[i]
- url = config.url_prefix() +
("check_mk/switch_master_state.py?site=%s&switch=%s&state=%d" %
(site_id, colname, 1 - colvalue))
+ url = html.makeactionuri_contextless([
+ ("site", site_id),
+ ("switch", colname),
+ ("state", "%d" % (1 - colvalue)),
+ ], filename="switch_master_state.py")
onclick = "get_url('%s', updateContents,
'snapin_master_control')" % url
html.open_tr()
@@ -175,11 +179,14 @@ div.snapin table.master_control td img.iconbutton {
def _ajax_switch_masterstate(self):
- html.set_output_format("json")
+ html.set_output_format("text")
if not config.user.may("sidesnap.master_control"):
return
+ if not html.check_transaction():
+ return
+
site = html.var("site")
column = html.var("switch")
state = int(html.var("state"))