[pkg-nagios-changes] [Git][nagios-team/nagvis][upstream] New upstream version 1.9.34
Bas Couwenberg (@sebastic)
gitlab at salsa.debian.org
Tue Aug 30 15:14:41 BST 2022
Bas Couwenberg pushed to branch upstream at Debian Nagios Maintainer Group / nagvis
Commits:
4af78598 by Bas Couwenberg at 2022-08-30T15:53:05+02:00
New upstream version 1.9.34
- - - - -
11 changed files:
- ChangeLog
- docs/en_US/backend_mkbi.html
- docs/en_US/nagvis_config_format_description.html
- share/server/core/classes/CoreLogonMultisite.php
- share/server/core/classes/GlobalBackendmkbi.php
- share/server/core/classes/GlobalMainCfg.php
- share/server/core/classes/NagVisHoverUrl.php
- share/server/core/classes/ViewEditMainCfg.php
- share/server/core/defines/global.php
- share/server/core/sources/geomap.php
- share/server/core/sources/worldmap.php
Changes:
=====================================
ChangeLog
=====================================
@@ -1,3 +1,23 @@
+1.9.34
+Core:
+ * Checkmk BI backend: Add verify_peer, ca_path and verify_depth options to configure
+ parameters for HTTPS certificate verification (#317 Thanks to loocars)
+
+Frontend:
+ * FIX: Fix PHP 8.1 incompatibility in different configuration dialogs
+
+Worldmap:
+ * FIX: Fix PHP 8.1 incompatibility (#316 Thanks to loocars)
+
+Security:
+ * FIX: Fix SSRF (triggerable by admin users) in geomap.php (#319 Thanks to dontqwerty)
+ * FIX: Fix arbitrary file read in (#322 Thanks to Shortfinga)
+ * FIX: Fix type juggling vulnerability in cookie hash processing (#321 Thanks to Shortfinga)
+ * Add option to enable compatibility with Checkmk 2.2 cookies. This needs to
+ be enable with a new configuration option (logon_multisite_cookie_version).
+ This setting will automatically be enabled when NagVis is shipped together
+ with Checkmk. (#323 Thanks to Shortfinga)
+
1.9.33
Frontend:
* FIX: Weathermap lines of Checkmk monitored network interfaces displaying
=====================================
docs/en_US/backend_mkbi.html
=====================================
@@ -51,13 +51,31 @@
<td>The authentication secret configured within Check_MK for the tiven user.</td>
</tr>
<tr>
- <td>timeout</td>
- <td>5</td>
- <td>
- <font color="#f00">New in 1.9b11</font>: This option controls the request timeout
- of the HTTP requests to Check_MK BI.
- </td>
- </tr>
+ <td>verify_peer</td>
+ <td>1</td>
+ <td>
+ <font color="#f00">New in 1.9.34</font>: Whether to verify the
+ certificate the HTTPS server is providing.
+ </td>
+ </tr>
+ <tr>
+ <td>ca_path</td>
+ <td></td>
+ <td>
+ <font color="#f00">New in 1.9.34</font>: Location of Certificate
+ Authority file on local filesystem which should be used with the
+ verify_peer context option to authenticate the identity of the
+ remote peer.
+ </td>
+ </tr>
+ <tr>
+ <td>timeout</td>
+ <td>5</td>
+ <td>
+ <font color="#f00">New in 1.9b11</font>: This option controls the request timeout
+ of the HTTP requests to Check_MK BI.
+ </td>
+ </tr>
</table>
<p>There are also some general backend parameters. You can read about them in
<a href="nagvis_config_format_description.html#backend">main configuration format description</a>.</p>
=====================================
docs/en_US/nagvis_config_format_description.html
=====================================
@@ -219,6 +219,11 @@
<td>Guest</td>
<td>Same as the above "logonenvcreaterole" option. Only used by the LogonMultisite module.</td>
</tr>
+ <tr>
+ <td>logon_multisite_cookie_version</td>
+ <td>0</td>
+ <td>When you use Checkmk 2.2 or newer, you need to set this to <tt>1</tt>. Only used by the LogonMultisite module.</td>
+ </tr>
<tr>
<td>multisite_snapin_layout</td>
=====================================
share/server/core/classes/CoreLogonMultisite.php
=====================================
@@ -30,9 +30,10 @@ class CoreLogonMultisite extends CoreLogonModule {
private $authFile;
public function __construct() {
- $this->htpasswdPath = cfg('global', 'logon_multisite_htpasswd');
- $this->serialsPath = cfg('global', 'logon_multisite_serials');
- $this->secretPath = cfg('global', 'logon_multisite_secret');
+ $this->htpasswdPath = cfg('global', 'logon_multisite_htpasswd');
+ $this->serialsPath = cfg('global', 'logon_multisite_serials');
+ $this->secretPath = cfg('global', 'logon_multisite_secret');
+ $this->cookieVersion = cfg('global', 'logon_multisite_cookie_version');
// When the auth.serial file exists, use this instead of the htpasswd
// for validating the cookie. The structure of the file is equal, so
@@ -70,6 +71,11 @@ class CoreLogonMultisite extends CoreLogonModule {
}
private function generateHash($username, $session_id, $user_secret) {
+ $secret = $this->loadSecret();
+ return hash_hmac("sha256", $username . $session_id. $user_secret, $secret);
+ }
+
+ private function generatePre22Hash($username, $session_id, $user_secret) {
$secret = $this->loadSecret();
return hash("sha256", $username . $session_id. $user_secret . $secret);
}
@@ -101,25 +107,33 @@ class CoreLogonMultisite extends CoreLogonModule {
}
$user_secret = $users[$username];
- // Checkmk 2.0 changed the following:
- // a) 2nd field from "issue time" to session ID
- // b) 3rd field from md5 hash to sha256 hash
- // NagVis is used with older and newer Checkmk versions. Be compatible
- // to both cookie formats.
- $is_pre_20_cookie = strlen($cookieHash) == 32;
-
- if ($is_pre_20_cookie)
- $hash = $this->generatePre20Hash($username, $sessionId, (string) $user_secret);
- else
+ if ($this->cookieVersion < 1) {
+ // Older Checkmk versions do not set the cookieVersion, therefore we guess based on the length.
+
+ // Checkmk 2.0 changed the following:
+ // a) 2nd field from "issue time" to session ID
+ // b) 3rd field from md5 hash to sha256 hash
+ // NagVis is used with older and newer Checkmk versions. Be compatible
+ // to both cookie formats.
+ $is_pre_20_cookie = strlen($cookieHash) == 32;
+
+ if ($is_pre_20_cookie)
+ $hash = $this->generatePre20Hash($username, $sessionId, (string) $user_secret);
+ else
+ $hash = $this->generatePre22Hash($username, $sessionId, (string) $user_secret);
+ }
+ elseif ($this->cookieVersion == 1) {
$hash = $this->generateHash($username, $sessionId, (string) $user_secret);
+ }
+ else {
+ throw new NagVisException(l('The Multisite Cookie version is not supported'));
+ }
// Validate the hash
- if ($cookieHash != $hash) {
+ if ($cookieHash !== $hash) {
throw new Exception();
}
- // FIXME: Maybe renew the cookie here too
-
return $username;
}
=====================================
share/server/core/classes/GlobalBackendmkbi.php
=====================================
@@ -81,6 +81,25 @@ class GlobalBackendmkbi implements GlobalBackendInterface {
'default' => '',
'match' => MATCH_STRING_PATH,
),
+ 'verify_peer' => Array(
+ 'must' => 0,
+ 'editable' => 1,
+ 'default' => 1,
+ 'match' => MATCH_BOOLEAN,
+ 'field_type' => 'boolean',
+ ),
+ 'verify_depth' => Array(
+ 'must' => 0,
+ 'editable' => 1,
+ 'default' => 3,
+ 'match' => MATCH_INTEGER,
+ ),
+ 'ca_path' => Array(
+ 'must' => 0,
+ 'editable' => 1,
+ 'default' => '',
+ 'match' => MATCH_STRING_PATH,
+ ),
'timeout' => Array(
'must' => 1,
'editable' => 1,
@@ -97,12 +116,31 @@ class GlobalBackendmkbi implements GlobalBackendInterface {
$this->baseUrl = cfg('backend_'.$backendId, 'base_url');
- $httpContext = array(
+ $httpContext = array(
'method' => 'GET',
'user_agent' => 'NagVis BI Backend',
'timeout' => cfg('backend_'.$backendId, 'timeout'),
);
+ $sslContext = array();
+
+ if (cfg('backend_'.$backendId, 'verify_peer') == true) {
+ $sslContext = array(
+ 'verify_peer' => true,
+ 'verify_peer_name' => false,
+ 'verify_depth' => cfg('backend_'.$backendId, 'verify_depth'),
+ );
+ $ca_path = cfg('backend_'.$backendId, 'ca_path');
+ if ($ca_path) {
+ $sslContext['cafile'] = $ca_path;
+ }
+ } else {
+ $sslContext = array(
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+ );
+ }
+
// Always set the HTTP basic auth header
$username = cfg('backend_'.$backendId, 'auth_user');
$secret = $this->getSecret();
@@ -111,7 +149,10 @@ class GlobalBackendmkbi implements GlobalBackendInterface {
$httpContext['header'] = 'Authorization: Basic '.$authCred."\r\n";
}
- $this->context = stream_context_create(array('http' => $httpContext));
+ $this->context = stream_context_create(array(
+ 'http' => $httpContext,
+ 'ssl' => $sslContext,
+ ));
}
/**************************************************************************
=====================================
share/server/core/classes/GlobalMainCfg.php
=====================================
@@ -258,6 +258,14 @@ class GlobalMainCfg {
'depends_value' => 'LogonMultisite',
'match' => MATCH_STRING_PATH,
),
+ 'logon_multisite_cookie_version' => Array(
+ 'must' => 0,
+ 'editable' => 1,
+ 'default' => '0',
+ 'depends_on' => 'logonmodule',
+ 'depends_value' => 'LogonMultisite',
+ 'match' => MATCH_INTEGER,
+ ),
'logon_multisite_createuser' => Array(
'must' => 1,
'editable' => 1,
=====================================
share/server/core/classes/NagVisHoverUrl.php
=====================================
@@ -84,7 +84,7 @@ class NagVisHoverUrl {
// Only allow urls not paths for security reasons
// Reported here: http://news.gmane.org/find-root.php?message_id=%3cf60c42280909021938s7f36c0edhd66d3e9156a5d081%40mail.gmail.com%3e
$aUrl = parse_url($this->url);
- if(!isset($aUrl['scheme']) || $aUrl['scheme'] == '')
+ if(!isset($aUrl['scheme']) || $aUrl['scheme'] == '' || ($aUrl['scheme'] != 'http' && $aUrl['scheme'] != 'https'))
throw new NagVisException(l('problemReadingUrl', Array('URL' => $this->url,
'MSG' => l('Not allowed url'))));
=====================================
share/server/core/classes/ViewEditMainCfg.php
=====================================
@@ -183,7 +183,8 @@ class ViewEditMainCfg {
echo l('No');
break;
default:
- echo escape_html($def_val);
+ if ($def_val !== null)
+ echo escape_html($def_val);
}
echo '</div>';
=====================================
share/server/core/defines/global.php
=====================================
@@ -23,7 +23,7 @@
*****************************************************************************/
// NagVis Version
-define('CONST_VERSION', '1.9.33');
+define('CONST_VERSION', '1.9.34');
// Set PHP error handling to standard level
// Different levels for php versions below 5.1 because PHP 5.1 reports
=====================================
share/server/core/sources/geomap.php
=====================================
@@ -6,6 +6,8 @@ class GeomapError extends MapSourceError {}
// CSV source file handling
//
+const ACCEPTED_GEOMAP_SERVER_URL_SCHEMES = ["http", "https"];
+
function geomap_source_file($p) {
return cfg('paths', 'geomap') . '/' . $p['source_file'] . '.csv';
}
@@ -120,6 +122,7 @@ function geomap_get_contents($url) {
'http' => array(
'timeout' => cfg('global', 'http_timeout'),
'user_agent' => 'NagVis '.CONST_VERSION.' geomap',
+ 'max_redirects' => 0,
)
);
@@ -268,6 +271,33 @@ function geomap_files($params) {
);
}
+function validate_geomap_server_base_url($url) {
+ # If the given url contains non standard URL characters, throw an error
+ $sanitized_url = filter_var($url, FILTER_SANITIZE_URL);
+ if ($sanitized_url !== $url) {
+ throw new GeomapError(l('Geomap server URL contains not allowed characters. Url: "[U]"',
+ array('U' => $url)));
+ }
+
+ $url_scheme = parse_url($url, PHP_URL_SCHEME);
+ if (!$url_scheme || !in_array(strtolower($url_scheme), ACCEPTED_GEOMAP_SERVER_URL_SCHEMES)) {
+ throw new GeomapError(l('Invalid scheme in Geomap server URL: "[U]"',
+ array('U' => $url)));
+ }
+
+ $url_query = parse_url($url, PHP_URL_QUERY);
+ if (!empty($url_query)) {
+ throw new GeomapError(l('Geomap server cannot contain query parameters. URL: "[U]"',
+ array('U' => $url)));
+ }
+
+ $url_fragment = parse_url($url, PHP_URL_FRAGMENT);
+ if (!empty($url_fragment)) {
+ throw new GeomapError(l('Geomap server cannot contain anchors. URL: "[U]"',
+ array('U' => $url)));
+ }
+}
+
function process_geomap($MAPCFG, $map_name, &$map_config) {
$params = $MAPCFG->getSourceParams();
list($image_name, $image_path, $data_path) = geomap_files($params);
@@ -354,7 +384,9 @@ function process_geomap($MAPCFG, $map_name, &$map_config) {
throw new GeomapError(l('Missing mandatory "width" and "height" parameters."'));
// Using this API: http://pafciu17.dev.openstreetmap.org/
- $url = cfg('global', 'geomap_server')
+ $geomap_server_base_url = cfg('global', 'geomap_server');
+ validate_geomap_server_base_url($geomap_server_base_url);
+ $url = $geomap_server_base_url
.'?module=map'
.'&width='.$params['width'].'&height='.$params['height']
.'&type='.$params['geomap_type'];
=====================================
share/server/core/sources/worldmap.php
=====================================
@@ -262,9 +262,9 @@ function worldmap_get_objects_by_bounds($sw_lng, $sw_lat, $ne_lng, $ne_lat) {
$obj = json_decode($data['object'], true);
$objects[$obj['object_id']] = $obj;
// check all coordinates for relative coords
- $coords = array($data['lat'], $data['lng'], $data['lat2'], $data['lng2']);
+ $coords = array_map('strval', array($data['lat'], $data['lng'], $data['lat2'], $data['lng2']));
foreach ($coords as $coord) {
- if (strpos($coord, '%') !== false) {
+ if ($coord !== null && strpos($coord, '%') !== false) {
$referenced[substr($coord, 0, 6)] = null;
}
}
View it on GitLab: https://salsa.debian.org/nagios-team/nagvis/-/commit/4af785987d9e6a0681507cf49b99e875bc082c81
--
View it on GitLab: https://salsa.debian.org/nagios-team/nagvis/-/commit/4af785987d9e6a0681507cf49b99e875bc082c81
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20220830/f4026e96/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list