Module: check_mk
Branch: master
Commit: 9a88392d2b4b5c4d9e35e5aa23e00bb1d1661611
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9a88392d2b4b5c…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Oct 22 16:30:36 2013 +0200
FIX: Added code to prevent injection of bogus varnames
---
ChangeLog | 2 ++
web/htdocs/html_mod_python.py | 10 +++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index a91c9ce..c22bec4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -32,6 +32,8 @@
* FIX: Remove duplicate entries from Quicksearch
* FIX: Avoid timed browser reload after execution of exections
* FIX: Hosttag filter now works in service related views
+ * FIX: Added code to prevent injection of bogus varnames
+ (This might break code which uses some uncommon chars for varnames)
BI:
* FIX: Fix exception when showing BI tree in reporting time warp
diff --git a/web/htdocs/html_mod_python.py b/web/htdocs/html_mod_python.py
index a48f313..e794044 100644
--- a/web/htdocs/html_mod_python.py
+++ b/web/htdocs/html_mod_python.py
@@ -1,8 +1,10 @@
from mod_python import Cookie, util, apache
import htmllib
-import os, time, config, weblib
+import os, time, config, weblib, re
import defaults
+varname_regex = re.compile('^[\w\d_-]+$')
+
class html_mod_python(htmllib.html):
def __init__(self, req):
@@ -45,6 +47,12 @@ class html_mod_python(htmllib.html):
for field in fields.list:
varname = field.name
value = field.value
+
+ # To prevent variours injections, we only allow a defined set
+ # of characters to be used in variables
+ if not varname_regex.match(varname):
+ continue
+
# Multiple occurrance of a variable? Store in extra list dict
if varname in self.vars:
if varname in self.listvars: