[pkg-nagios-changes] [Git][nagios-team/pkg-nagvis][master] 4 commits: New upstream version 1.9.23

Thu Oct 1 05:11:44 BST 2020


Bas Couwenberg pushed to branch master at Debian Nagios Maintainer Group / pkg-nagvis


Commits:
e2ec3065 by Bas Couwenberg at 2020-10-01T06:04:43+02:00
New upstream version 1.9.23
- - - - -
c93bd018 by Bas Couwenberg at 2020-10-01T06:04:52+02:00
Update upstream source from tag 'upstream/1.9.23'

Update to upstream version '1.9.23'
with Debian dir 35306c943c1e7f1562372b824422659cdc17951c
- - - - -
565b0f6d by Bas Couwenberg at 2020-10-01T06:05:11+02:00
New upstream release.

- - - - -
ba1dd7b7 by Bas Couwenberg at 2020-10-01T06:06:32+02:00
Set distribution to unstable.

- - - - -


4 changed files:

- ChangeLog
- debian/changelog
- share/server/core/classes/CoreLogonMultisite.php
- share/server/core/defines/global.php


Changes:

=====================================
ChangeLog
=====================================
@@ -1,3 +1,7 @@
+1.9.23
+Frontend:
+  * Make NagVis compatible with Checkmk 2.0 auth cookies
+
 1.9.22
 Core:
   * FIX: Fix error handling of DB backends when DB opening failed


=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+nagvis (1:1.9.23-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream release.
+
+ -- Bas Couwenberg <sebastic at debian.org>  Thu, 01 Oct 2020 06:06:21 +0200
+
 nagvis (1:1.9.22-1) unstable; urgency=medium
 
   * Team upload.


=====================================
share/server/core/classes/CoreLogonMultisite.php
=====================================
@@ -69,9 +69,14 @@ class CoreLogonMultisite extends CoreLogonModule {
         return trim(file_get_contents($this->secretPath));
     }
 
-    private function generateHash($username, $now, $user_secret) {
+    private function generateHash($username, $session_id, $user_secret) {
         $secret = $this->loadSecret();
-        return md5($username . $now . $user_secret . $secret);
+        return hash("sha256", $username . $session_id. $user_secret . $secret);
+    }
+
+    private function generatePre20Hash($username, $issue_time, $user_secret) {
+        $secret = $this->loadSecret();
+        return md5($username . $issue_time . $user_secret . $secret);
     }
 
     private function checkAuthCookie($cookieName) {
@@ -83,7 +88,8 @@ class CoreLogonMultisite extends CoreLogonModule {
         // (e.g. when @ signs are found in the value)
         $cookieValue = trim($_COOKIE[$cookieName], '"');
 
-        list($username, $issueTime, $cookieHash) = explode(':', $cookieValue, 3);
+        // 2nd field is "issue time" in pre 2.0 cookies. Now it's the session ID
+        list($username, $sessionId, $cookieHash) = explode(':', $cookieValue, 3);
 
         if($this->authFile == 'htpasswd')
             $users = $this->loadAuthFile($this->htpasswdPath);
@@ -95,8 +101,20 @@ class CoreLogonMultisite extends CoreLogonModule {
         }
         $user_secret = $users[$username];
 
+        // Checkmk 2.0 changed the following:
+        // a) 2nd field from "issue time" to session ID
+        // b) 3rd field from md5 hash to sha256 hash
+        // NagVis is used with older and newer Checkmk versions. Be compatible
+        // to both cookie formats.
+        $is_pre_20_cookie = strlen($cookieHash) == 32;
+
+        if ($is_pre_20_cookie)
+            $hash = $this->generatePre20Hash($username, $sessionId, (string) $user_secret);
+        else
+            $hash = $this->generateHash($username, $sessionId, (string) $user_secret);
+
         // Validate the hash
-        if($cookieHash != $this->generateHash($username, $issueTime, (string) $user_secret)) {
+        if ($cookieHash != $hash) {
             throw new Exception();
         }
 


=====================================
share/server/core/defines/global.php
=====================================
@@ -23,7 +23,7 @@
  *****************************************************************************/
  
 // NagVis Version
-define('CONST_VERSION', '1.9.22');
+define('CONST_VERSION', '1.9.23');
 
 // Set PHP error handling to standard level
 // Different levels for php versions below 5.1 because PHP 5.1 reports



View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagvis/-/compare/fd6cc5e498258da732c036f35239d4fe167226fa...ba1dd7b7f07e1c8546e18cc691e073400aa6cc13

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagvis/-/compare/fd6cc5e498258da732c036f35239d4fe167226fa...ba1dd7b7f07e1c8546e18cc691e073400aa6cc13
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20201001/405dd0f6/attachment-0001.html>
