Module: check_mk
Branch: master
Commit: 3f41427c6e6f2260c03dd72b63927aed8a73f2fb
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=3f41427c6e6f22…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Apr 17 16:54:16 2012 +0200
FIX: Using pickle instead of repr/eval when reading data structures from
urls to prevent too big security issues
---
ChangeLog | 2 ++
web/htdocs/wato.py | 30 +++++++++++++++++++++---------
2 files changed, 23 insertions(+), 9 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 9eb5eba..083c409 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,8 @@
* FIX: Only showing sudo hint message on sudo error message in automation
command
* FIX: Fixed js eror in IE7 on WATO host edit page
+ * FIX: Using pickle instead of repr/eval when reading data structures from
+ urls to prevent too big security issues
Multisite
* Added config option default_ts_format to configure default timestamp
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 7b316b1..708428a 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -107,7 +107,7 @@
# `----------------------------------------------------------------------'
import sys, pprint, socket, re, subprocess, time, datetime, \
- shutil, tarfile, StringIO, math, fcntl
+ shutil, tarfile, StringIO, math, fcntl, pickle
import config, htmllib, multitar
from lib import *
from valuespec import *
@@ -2051,7 +2051,7 @@ def show_service_table(host, firsttime):
url = make_link([("mode", "edit_ruleset"),
("varname", varname),
("host", hostname),
- ("item", repr(item))])
+ ("item", mk_repr(item))])
try:
rulespec["valuespec"].validate_datatype(params,
"")
rulespec["valuespec"].validate_value(params,
"")
@@ -6112,8 +6112,8 @@ def check_mk_remote_automation(siteid, command, args, indata):
config.site(siteid), "checkmk-automation",
[
("automation", command), # The Check_MK automation command
- ("arguments", repr(args)), # The arguments for the command
- ("indata", repr(indata)), # The input data
+ ("arguments", mk_repr(args)), # The arguments for the command
+ ("indata", mk_repr(indata)), # The input data
])
return response
@@ -6550,8 +6550,8 @@ def page_automation():
command = html.var("command")
if command == "checkmk-automation":
cmk_command = html.var("automation")
- args = eval(html.var("arguments"))
- indata = eval(html.var("indata"))
+ args = mk_eval(html.var("arguments"))
+ indata = mk_eval(html.var("indata"))
result = check_mk_local_automation(cmk_command, args, indata)
html.write(repr(result))
elif command == "push-snapshot":
@@ -8701,7 +8701,7 @@ def mode_edit_ruleset(phase):
rulespec = g_rulespecs[varname]
hostname = html.var("host", "")
if html.has_var("item"):
- item = eval(html.var("item"))
+ item = mk_eval(html.var("item"))
else:
item = NO_ITEM
@@ -8867,7 +8867,7 @@ def mode_edit_ruleset(phase):
("varname", varname),
("rulenr", rel_rulenr),
("host", hostname),
- ("item", repr(item)),
+ ("item", mk_repr(item)),
("rule_folder", folder[".path"])])
html.icon_button(edit_url, _("Edit this rule"), "edit")
rule_button("insert", _("Insert a copy of this rule into the
folder '%s'")
@@ -10119,7 +10119,7 @@ def mode_pattern_editor(phase):
("varname", varname),
("rulenr", rel_rulenr),
("host", hostname),
- ("item", repr(item)),
+ ("item", mk_repr(item)),
("rule_folder", folder[".path"])])
html.icon_button(edit_url, _("Edit this rule"), "edit")
html.write('</td></tr>\n')
@@ -10456,6 +10456,18 @@ def validate_all_hosts(hostnames, force_all = False):
# | Functions needed at various places |
# '----------------------------------------------------------------------'
+def mk_eval(s):
+ if config.debug:
+ return eval(s)
+ else:
+ return pickle.loads(s)
+
+def mk_repr(s):
+ if config.debug:
+ return repr(s)
+ else:
+ return pickle.dumps(s)
+
# Returns true when at least one folder is defined in WATO
def have_folders():
root_folder = load_folder(root_dir)