[pkg-nagios-changes] [Git][nagios-team/pkg-nagvis][upstream] New upstream version 1.9.23

Bas Couwenberg gitlab at salsa.debian.org
Thu Oct 1 05:11:46 BST 2020



Bas Couwenberg pushed to branch upstream at Debian Nagios Maintainer Group / pkg-nagvis


Commits:
e2ec3065 by Bas Couwenberg at 2020-10-01T06:04:43+02:00
New upstream version 1.9.23
- - - - -


3 changed files:

- ChangeLog
- share/server/core/classes/CoreLogonMultisite.php
- share/server/core/defines/global.php


Changes:

=====================================
ChangeLog
=====================================
@@ -1,3 +1,7 @@
+1.9.23
+Frontend:
+  * Make NagVis compatible with Checkmk 2.0 auth cookies
+
 1.9.22
 Core:
   * FIX: Fix error handling of DB backends when DB opening failed


=====================================
share/server/core/classes/CoreLogonMultisite.php
=====================================
@@ -69,9 +69,14 @@ class CoreLogonMultisite extends CoreLogonModule {
         return trim(file_get_contents($this->secretPath));
     }
 
-    private function generateHash($username, $now, $user_secret) {
+    private function generateHash($username, $session_id, $user_secret) {
         $secret = $this->loadSecret();
-        return md5($username . $now . $user_secret . $secret);
+        return hash("sha256", $username . $session_id. $user_secret . $secret);
+    }
+
+    private function generatePre20Hash($username, $issue_time, $user_secret) {
+        $secret = $this->loadSecret();
+        return md5($username . $issue_time . $user_secret . $secret);
     }
 
     private function checkAuthCookie($cookieName) {
@@ -83,7 +88,8 @@ class CoreLogonMultisite extends CoreLogonModule {
         // (e.g. when @ signs are found in the value)
         $cookieValue = trim($_COOKIE[$cookieName], '"');
 
-        list($username, $issueTime, $cookieHash) = explode(':', $cookieValue, 3);
+        // 2nd field is "issue time" in pre 2.0 cookies. Now it's the session ID
+        list($username, $sessionId, $cookieHash) = explode(':', $cookieValue, 3);
 
         if($this->authFile == 'htpasswd')
             $users = $this->loadAuthFile($this->htpasswdPath);
@@ -95,8 +101,20 @@ class CoreLogonMultisite extends CoreLogonModule {
         }
         $user_secret = $users[$username];
 
+        // Checkmk 2.0 changed the following:
+        // a) 2nd field from "issue time" to session ID
+        // b) 3rd field from md5 hash to sha256 hash
+        // NagVis is used with older and newer Checkmk versions. Be compatible
+        // to both cookie formats.
+        $is_pre_20_cookie = strlen($cookieHash) == 32;
+
+        if ($is_pre_20_cookie)
+            $hash = $this->generatePre20Hash($username, $sessionId, (string) $user_secret);
+        else
+            $hash = $this->generateHash($username, $sessionId, (string) $user_secret);
+
         // Validate the hash
-        if($cookieHash != $this->generateHash($username, $issueTime, (string) $user_secret)) {
+        if ($cookieHash != $hash) {
             throw new Exception();
         }
 


=====================================
share/server/core/defines/global.php
=====================================
@@ -23,7 +23,7 @@
  *****************************************************************************/
  
 // NagVis Version
-define('CONST_VERSION', '1.9.22');
+define('CONST_VERSION', '1.9.23');
 
 // Set PHP error handling to standard level
 // Different levels for php versions below 5.1 because PHP 5.1 reports



View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagvis/-/commit/e2ec30654069b28c19d4c96fb8aecc93a9076b2a

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagvis/-/commit/e2ec30654069b28c19d4c96fb8aecc93a9076b2a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20201001/6f94aa88/attachment-0001.html>


More information about the pkg-nagios-changes mailing list