Module: check_mk
Branch: master
Commit: 056843cfe84c5dec9798db5e596661c619ac5b19
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=056843cfe84c5d…
Author: Andreas Boesl <ab(a)mathias-kettner.de>
Date: Fri May 30 13:40:19 2014 +0200
WATO snapshots: disabled upload of legacy snaphots and snapshots with invalid checksums
The upload of insecure snapshots has been disabled per default, because those
snapshots represent a security risk if their content were modified willingly or
unwillingly.
Insecure snapshots are all legacy snapshots and snapshots of the newer type, but with an
invalid checksum.
You can re-enable the upload of insecure snapshots via the new global setting<br>
<tt>Configuration GUI (WATO) -> Allow upload of insecure WATO
snapshots</tt>
---
.werks/930 | 13 ++++++++++++
ChangeLog | 1 +
web/htdocs/wato.py | 18 ++++++++++++++++
web/plugins/config/wato.py | 31 ++++++++++++++--------------
web/plugins/wato/check_mk_configuration.py | 11 ++++++++++
5 files changed, 59 insertions(+), 15 deletions(-)
diff --git a/.werks/930 b/.werks/930
new file mode 100644
index 0000000..58ef00e
--- /dev/null
+++ b/.werks/930
@@ -0,0 +1,13 @@
+Title: WATO snapshots: disabled upload of legacy snaphots and snapshots with invalid
checksums
+Level: 2
+Component: wato
+Version: 1.2.5i3
+Date: 1401449745
+Class: feature
+
+The upload of insecure snapshots has been disabled per default, because those
+snapshots represent a security risk if their content were modified willingly or
unwillingly.
+Insecure snapshots are all legacy snapshots and snapshots of the newer type, but with an
invalid checksum.
+
+You can re-enable the upload of insecure snapshots via the new global setting<br>
+<tt>Configuration GUI (WATO) -> Allow upload of insecure WATO
snapshots</tt>
diff --git a/ChangeLog b/ChangeLog
index 2cce4dc..1bbfc65 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -119,6 +119,7 @@
* 0965 Cumulative permissions and contact groups for WATO folders...
* 0973 Renaming of hosts via WATO...
* 0976 Show preview of active and custom checks in WATO services table...
+ * 0930 WATO snapshots: disabled upload of legacy snaphots and snapshots with invalid
checksums...
* 0781 FIX: host diag page: fixed problem with update of diagnose subwindows...
* 0904 FIX: Fixed exception in host parameter overview...
* 0971 FIX: Fix missing authentication of PHP addons in D-WATO when activation mode
is reload...
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index f1ecc41..d5731d5 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -6780,6 +6780,24 @@ def mode_snapshot(phase):
if status.get("broken"):
raise MKUserError("_upload_file", _("This is not a
Check_MK snapshot!<br>%s") % \
status.get("broken_text"))
+ elif not status.get("checksums") and not
config.wato_upload_insecure_snapshots:
+ if status["type"] == "legacy":
+ raise MKUserError("_upload_file", _('The integrity
of this snapshot could not be verified.<br><br>'
+ 'You are restoring a legacy snapshot which
can not be verified. The snapshot contains '
+ 'files which contain code that will be
executed during runtime of the monitoring.<br><br>'
+ 'The upload of insecure snapshots is
currently disabled in WATO. If you want to allow '
+ 'the upload of insecure snapshots you can
activate it in the Global Settings under<br>'
+ '<tt>Configuration GUI (WATO) ->
Allow upload of insecure WATO snapshots</tt>'))
+ else:
+ raise MKUserError("_upload_file", _('The integrity
of this snapshot could not be verified.<br><br>'
+ 'If you restore a snapshot on the same site
as where it was created, the checksum should '
+ 'always be OK. If not, it is likely that
something has been modified in the snapshot.<br>'
+ 'When you restore the snapshot on a
different site, the checksum check will always fail. '
+ 'The snapshot contains files which contain
code that will be executed during runtime '
+ 'of the
monitoring.<br><br>'
+ 'The upload of insecure snapshots is
currently disabled in WATO. If you want to allow '
+ 'the upload of insecure snapshots you can
activate it in the Global Settings under<br>'
+ '<tt>Configuration GUI (WATO) ->
Allow upload of insecure WATO snapshots</tt>'))
else:
file(snapshot_dir + filename, "w").write(uploaded_file[2])
html.set_var("_snapshot_name", filename)
diff --git a/web/plugins/config/wato.py b/web/plugins/config/wato.py
index 744dde1..590a145 100644
--- a/web/plugins/config/wato.py
+++ b/web/plugins/config/wato.py
@@ -24,21 +24,22 @@
# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
# Boston, MA 02110-1301 USA.
-wato_enabled = True
-wato_host_tags = []
-wato_aux_tags = []
-wato_hide_filenames = True
-wato_hide_hosttags = False
-wato_hide_varnames = True
-wato_hide_help_in_lists = True
-wato_max_snapshots = 50
-wato_num_hostspecs = 12
-wato_num_itemspecs = 15
-wato_activation_method = 'restart'
-wato_write_nagvis_auth = False
-wato_use_git = False
-wato_hidden_users = []
-wato_user_attrs = []
+wato_enabled = True
+wato_host_tags = []
+wato_aux_tags = []
+wato_hide_filenames = True
+wato_hide_hosttags = False
+wato_upload_insecure_snapshots = False
+wato_hide_varnames = True
+wato_hide_help_in_lists = True
+wato_max_snapshots = 50
+wato_num_hostspecs = 12
+wato_num_itemspecs = 15
+wato_activation_method = 'restart'
+wato_write_nagvis_auth = False
+wato_use_git = False
+wato_hidden_users = []
+wato_user_attrs = []
def tag_alias(tag):
for entry in wato_host_tags:
diff --git a/web/plugins/wato/check_mk_configuration.py
b/web/plugins/wato/check_mk_configuration.py
index 43b84da..e5f02b9 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -497,6 +497,17 @@ register_configvar(group,
register_configvar(group,
+ "wato_upload_insecure_snapshots",
+ Checkbox(title = _("Allow upload of insecure WATO snapshots"),
+ label = _("upload insecure snapshots"),
+ help = _("When enabled, insecure snapshots are allowed. Please keep in
mind that the upload "
+ "of unverified snapshots represent a security risk, since the
content of a snapshot is executed "
+ "during runtime. Any manipulations in the content - either
willingly or unwillingly (XSS attack) "
+ "- pose a serious security risk."),
+ default_value = False),
+ domain = "multisite")
+
+register_configvar(group,
"wato_hide_hosttags",
Checkbox(title = _("Hide hosttags in WATO folder view"),
label = _("hide hosttags"),