1 |
mattm 14/10/29 22:38:38 |
2 |
|
3 |
Added: zbx7479.patch zbx8151.patch |
4 |
Log: |
5 |
Major version bump 2.4.1, totally experimental, has not been tested. Package masked. Do not install unless you are using a non-production system and can contribute to improving gentoo support for 2.4 and comment on bug 524010. |
6 |
|
7 |
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 786037A7) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 net-analyzer/zabbix/files/2.4/patches/zbx7479.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx7479.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx7479.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: zbx7479.patch |
16 |
=================================================================== |
17 |
Index: src/libs/zbxsysinfo/sysinfo.c |
18 |
=================================================================== |
19 |
--- src/libs/zbxsysinfo/sysinfo.c (revision 40348) |
20 |
+++ src/libs/zbxsysinfo/sysinfo.c (working copy) |
21 |
@@ -427,13 +427,49 @@ |
22 |
test_aliases(); |
23 |
} |
24 |
|
25 |
+static int zbx_check_user_parameter(const char *param, char *error, int max_error_len) |
26 |
+{ |
27 |
+ const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@\n", *c; |
28 |
+ char *buf = NULL; |
29 |
+ size_t buf_alloc = 128, buf_offset = 0; |
30 |
+ |
31 |
+ if (0 != CONFIG_UNSAFE_USER_PARAMETERS) |
32 |
+ return SUCCEED; |
33 |
+ |
34 |
+ for (c = suppressed_chars; '\0' != *c; c++) |
35 |
+ { |
36 |
+ if (NULL == strchr(param, *c)) |
37 |
+ continue; |
38 |
+ |
39 |
+ buf = zbx_malloc(buf, buf_alloc); |
40 |
+ |
41 |
+ for (c = suppressed_chars; '\0' != *c; c++) |
42 |
+ { |
43 |
+ if (c != suppressed_chars) |
44 |
+ zbx_strcpy_alloc(&buf, &buf_alloc, &buf_offset, ", "); |
45 |
+ |
46 |
+ if (0 != isprint(*c)) |
47 |
+ zbx_chrcpy_alloc(&buf, &buf_alloc, &buf_offset, *c); |
48 |
+ else |
49 |
+ zbx_snprintf_alloc(&buf, &buf_alloc, &buf_offset, "0x%02x", *c); |
50 |
+ } |
51 |
+ |
52 |
+ zbx_snprintf(error, max_error_len, "special characters \"%s\" are not allowed in the parameters", buf); |
53 |
+ |
54 |
+ zbx_free(buf); |
55 |
+ |
56 |
+ return FAIL; |
57 |
+ } |
58 |
+ |
59 |
+ return SUCCEED; |
60 |
+} |
61 |
+ |
62 |
static int replace_param(const char *cmd, const char *param, char *out, int outlen, char *error, int max_error_len) |
63 |
{ |
64 |
int ret = SUCCEED; |
65 |
char buf[MAX_STRING_LEN]; |
66 |
char command[MAX_STRING_LEN]; |
67 |
char *pl, *pr; |
68 |
- const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@", *c; |
69 |
|
70 |
assert(out); |
71 |
|
72 |
@@ -465,25 +501,10 @@ |
73 |
{ |
74 |
get_param(param, (int)(pr[1] - '0'), buf, sizeof(buf)); |
75 |
|
76 |
- if (0 == CONFIG_UNSAFE_USER_PARAMETERS) |
77 |
- { |
78 |
- for (c = suppressed_chars; '\0' != *c; c++) |
79 |
- { |
80 |
- if (NULL != strchr(buf, *c)) |
81 |
- { |
82 |
- zbx_snprintf(error, max_error_len, "Special characters '%s'" |
83 |
- " are not allowed in the parameters", |
84 |
- suppressed_chars); |
85 |
- ret = FAIL; |
86 |
- break; |
87 |
- } |
88 |
- } |
89 |
- } |
90 |
+ if (SUCCEED != (ret = zbx_check_user_parameter(buf, error, max_error_len))) |
91 |
+ break; |
92 |
} |
93 |
|
94 |
- if (FAIL == ret) |
95 |
- break; |
96 |
- |
97 |
zbx_strlcat(out, buf, outlen); |
98 |
outlen -= MIN((int)strlen(buf), (int)outlen); |
99 |
|
100 |
|
101 |
|
102 |
|
103 |
1.1 net-analyzer/zabbix/files/2.4/patches/zbx8151.patch |
104 |
|
105 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx8151.patch?rev=1.1&view=markup |
106 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx8151.patch?rev=1.1&content-type=text/plain |
107 |
|
108 |
Index: zbx8151.patch |
109 |
=================================================================== |
110 |
Index: frontends/php/include/defines.inc.php |
111 |
=================================================================== |
112 |
--- frontends/php/include/defines.inc.php (revision 46596) |
113 |
+++ frontends/php/include/defines.inc.php (revision 46655) |
114 |
@@ -835,6 +835,14 @@ |
115 |
|
116 |
define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts'); |
117 |
|
118 |
+// XML import flags |
119 |
+// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed |
120 |
+// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml |
121 |
+// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND |
122 |
+// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name - |
123 |
+// so this flag is not needed here. |
124 |
+define('LIBXML_IMPORT_FLAGS', LIBXML_NONET); |
125 |
+ |
126 |
// API errors |
127 |
define('ZBX_API_ERROR_INTERNAL', 111); |
128 |
define('ZBX_API_ERROR_PARAMETERS', 100); |
129 |
Index: frontends/php/include/classes/import/readers/CXmlImportReader.php |
130 |
=================================================================== |
131 |
--- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596) |
132 |
+++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46655) |
133 |
@@ -32,7 +32,8 @@ |
134 |
*/ |
135 |
public function read($string) { |
136 |
libxml_use_internal_errors(true); |
137 |
- $result = simplexml_load_string($string); |
138 |
+ libxml_disable_entity_loader(true); |
139 |
+ $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS); |
140 |
if (!$result) { |
141 |
$errors = libxml_get_errors(); |
142 |
libxml_clear_errors(); |
143 |
Index: frontends/php/include/classes/import/CXmlImport18.php |
144 |
=================================================================== |
145 |
--- frontends/php/include/classes/import/CXmlImport18.php (revision 46596) |
146 |
+++ frontends/php/include/classes/import/CXmlImport18.php (revision 46655) |
147 |
@@ -390,12 +390,13 @@ |
148 |
return $array; |
149 |
} |
150 |
|
151 |
- public static function import($file) { |
152 |
+ public static function import($source) { |
153 |
|
154 |
libxml_use_internal_errors(true); |
155 |
+ libxml_disable_entity_loader(true); |
156 |
|
157 |
$xml = new DOMDocument(); |
158 |
- if (!$xml->loadXML($file)) { |
159 |
+ if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) { |
160 |
$text = ''; |
161 |
foreach (libxml_get_errors() as $error) { |
162 |
switch ($error->level) { |