| 1 |
mattm 13/12/03 19:28:19 |
| 2 |
|
| 3 |
Added: zbx7479.patch |
| 4 |
Log: |
| 5 |
Patching for Zabbix Vulnerability - Possible Shell Code Injection - https://support.zabbix.com/browse/ZBX-7479 |
| 6 |
|
| 7 |
(Portage version: 2.1.12.2/cvs/Linux x86_64, signed Manifest commit with key 786037A7) |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.1 net-analyzer/zabbix/files/2.0/patches/zbx7479.patch |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.0/patches/zbx7479.patch?rev=1.1&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.0/patches/zbx7479.patch?rev=1.1&content-type=text/plain |
| 14 |
|
| 15 |
Index: zbx7479.patch |
| 16 |
=================================================================== |
| 17 |
Index: src/libs/zbxsysinfo/sysinfo.c |
| 18 |
=================================================================== |
| 19 |
--- src/libs/zbxsysinfo/sysinfo.c (revision 40346) |
| 20 |
+++ src/libs/zbxsysinfo/sysinfo.c (working copy) |
| 21 |
@@ -267,13 +267,49 @@ |
| 22 |
test_parameter(commands[i].key, PROCESS_TEST | PROCESS_USE_TEST_PARAM); |
| 23 |
} |
| 24 |
|
| 25 |
+static int zbx_check_user_parameter(const char *param, char *error, int max_error_len) |
| 26 |
+{ |
| 27 |
+ const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@\n", *c; |
| 28 |
+ char *buf = NULL; |
| 29 |
+ size_t buf_alloc = 128, buf_offset = 0; |
| 30 |
+ |
| 31 |
+ if (0 != CONFIG_UNSAFE_USER_PARAMETERS) |
| 32 |
+ return SUCCEED; |
| 33 |
+ |
| 34 |
+ for (c = suppressed_chars; '\0' != *c; c++) |
| 35 |
+ { |
| 36 |
+ if (NULL == strchr(param, *c)) |
| 37 |
+ continue; |
| 38 |
+ |
| 39 |
+ buf = zbx_malloc(buf, buf_alloc); |
| 40 |
+ |
| 41 |
+ for (c = suppressed_chars; '\0' != *c; c++) |
| 42 |
+ { |
| 43 |
+ if (c != suppressed_chars) |
| 44 |
+ zbx_strcpy_alloc(&buf, &buf_alloc, &buf_offset, ", "); |
| 45 |
+ |
| 46 |
+ if (0 != isprint(*c)) |
| 47 |
+ zbx_chrcpy_alloc(&buf, &buf_alloc, &buf_offset, *c); |
| 48 |
+ else |
| 49 |
+ zbx_snprintf_alloc(&buf, &buf_alloc, &buf_offset, "0x%02x", *c); |
| 50 |
+ } |
| 51 |
+ |
| 52 |
+ zbx_snprintf(error, max_error_len, "special characters \"%s\" are not allowed in the parameters", buf); |
| 53 |
+ |
| 54 |
+ zbx_free(buf); |
| 55 |
+ |
| 56 |
+ return FAIL; |
| 57 |
+ } |
| 58 |
+ |
| 59 |
+ return SUCCEED; |
| 60 |
+} |
| 61 |
+ |
| 62 |
static int replace_param(const char *cmd, const char *param, char *out, int outlen, char *error, int max_error_len) |
| 63 |
{ |
| 64 |
int ret = SUCCEED; |
| 65 |
char buf[MAX_STRING_LEN]; |
| 66 |
char command[MAX_STRING_LEN]; |
| 67 |
char *pl, *pr; |
| 68 |
- const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@", *c; |
| 69 |
|
| 70 |
assert(out); |
| 71 |
|
| 72 |
@@ -305,25 +341,10 @@ |
| 73 |
{ |
| 74 |
get_param(param, (int)(pr[1] - '0'), buf, sizeof(buf)); |
| 75 |
|
| 76 |
- if (0 == CONFIG_UNSAFE_USER_PARAMETERS) |
| 77 |
- { |
| 78 |
- for (c = suppressed_chars; '\0' != *c; c++) |
| 79 |
- { |
| 80 |
- if (NULL != strchr(buf, *c)) |
| 81 |
- { |
| 82 |
- zbx_snprintf(error, max_error_len, "Special characters '%s'" |
| 83 |
- " are not allowed in the parameters", |
| 84 |
- suppressed_chars); |
| 85 |
- ret = FAIL; |
| 86 |
- break; |
| 87 |
- } |
| 88 |
- } |
| 89 |
- } |
| 90 |
+ if (SUCCEED != (ret = zbx_check_user_parameter(buf, error, max_error_len))) |
| 91 |
+ break; |
| 92 |
} |
| 93 |
|
| 94 |
- if (FAIL == ret) |
| 95 |
- break; |
| 96 |
- |
| 97 |
zbx_strlcat(out, buf, outlen); |
| 98 |
outlen -= MIN((int)strlen(buf), (int)outlen); |
Archives