diff options
Diffstat (limited to 'net-analyzer/zabbix/files/2.2/patches')
| -rw-r--r-- | net-analyzer/zabbix/files/2.2/patches/zbx7479.patch | 83 | ||||
| -rw-r--r-- | net-analyzer/zabbix/files/2.2/patches/zbx8151.patch | 53 |
2 files changed, 136 insertions, 0 deletions
diff --git a/net-analyzer/zabbix/files/2.2/patches/zbx7479.patch b/net-analyzer/zabbix/files/2.2/patches/zbx7479.patch new file mode 100644 index 000000000000..79bb92f4bae0 --- /dev/null +++ b/net-analyzer/zabbix/files/2.2/patches/zbx7479.patch @@ -0,0 +1,83 @@ +Index: src/libs/zbxsysinfo/sysinfo.c +=================================================================== +--- src/libs/zbxsysinfo/sysinfo.c (revision 40348) ++++ src/libs/zbxsysinfo/sysinfo.c (working copy) +@@ -427,13 +427,49 @@ + test_aliases(); + } + ++static int zbx_check_user_parameter(const char *param, char *error, int max_error_len) ++{ ++ const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@\n", *c; ++ char *buf = NULL; ++ size_t buf_alloc = 128, buf_offset = 0; ++ ++ if (0 != CONFIG_UNSAFE_USER_PARAMETERS) ++ return SUCCEED; ++ ++ for (c = suppressed_chars; '\0' != *c; c++) ++ { ++ if (NULL == strchr(param, *c)) ++ continue; ++ ++ buf = zbx_malloc(buf, buf_alloc); ++ ++ for (c = suppressed_chars; '\0' != *c; c++) ++ { ++ if (c != suppressed_chars) ++ zbx_strcpy_alloc(&buf, &buf_alloc, &buf_offset, ", "); ++ ++ if (0 != isprint(*c)) ++ zbx_chrcpy_alloc(&buf, &buf_alloc, &buf_offset, *c); ++ else ++ zbx_snprintf_alloc(&buf, &buf_alloc, &buf_offset, "0x%02x", *c); ++ } ++ ++ zbx_snprintf(error, max_error_len, "special characters \"%s\" are not allowed in the parameters", buf); ++ ++ zbx_free(buf); ++ ++ return FAIL; ++ } ++ ++ return SUCCEED; ++} ++ + static int replace_param(const char *cmd, const char *param, char *out, int outlen, char *error, int max_error_len) + { + int ret = SUCCEED; + char buf[MAX_STRING_LEN]; + char command[MAX_STRING_LEN]; + char *pl, *pr; +- const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@", *c; + + assert(out); + +@@ -465,25 +501,10 @@ + { + get_param(param, (int)(pr[1] - '0'), buf, sizeof(buf)); + +- if (0 == CONFIG_UNSAFE_USER_PARAMETERS) +- { +- for (c = suppressed_chars; '\0' != *c; c++) +- { +- if (NULL != strchr(buf, *c)) +- { +- zbx_snprintf(error, max_error_len, "Special characters '%s'" +- " are not allowed in the parameters", +- suppressed_chars); +- ret = FAIL; +- break; +- } +- } +- } ++ if (SUCCEED != (ret = zbx_check_user_parameter(buf, error, max_error_len))) ++ break; + } + +- if (FAIL == ret) +- break; +- + zbx_strlcat(out, buf, outlen); + outlen -= MIN((int)strlen(buf), (int)outlen); + diff --git a/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch b/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch new file mode 100644 index 000000000000..076e10ab75a4 --- /dev/null +++ b/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch @@ -0,0 +1,53 @@ +Index: frontends/php/include/defines.inc.php +=================================================================== +--- frontends/php/include/defines.inc.php (revision 46596) ++++ frontends/php/include/defines.inc.php (revision 46655) +@@ -835,6 +835,14 @@ + + define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts'); + ++// XML import flags ++// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed ++// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml ++// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND ++// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name - ++// so this flag is not needed here. ++define('LIBXML_IMPORT_FLAGS', LIBXML_NONET); ++ + // API errors + define('ZBX_API_ERROR_INTERNAL', 111); + define('ZBX_API_ERROR_PARAMETERS', 100); +Index: frontends/php/include/classes/import/readers/CXmlImportReader.php +=================================================================== +--- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596) ++++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46655) +@@ -32,7 +32,8 @@ + */ + public function read($string) { + libxml_use_internal_errors(true); +- $result = simplexml_load_string($string); ++ libxml_disable_entity_loader(true); ++ $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS); + if (!$result) { + $errors = libxml_get_errors(); + libxml_clear_errors(); +Index: frontends/php/include/classes/import/CXmlImport18.php +=================================================================== +--- frontends/php/include/classes/import/CXmlImport18.php (revision 46596) ++++ frontends/php/include/classes/import/CXmlImport18.php (revision 46655) +@@ -390,12 +390,13 @@ + return $array; + } + +- public static function import($file) { ++ public static function import($source) { + + libxml_use_internal_errors(true); ++ libxml_disable_entity_loader(true); + + $xml = new DOMDocument(); +- if (!$xml->loadXML($file)) { ++ if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) { + $text = ''; + foreach (libxml_get_errors() as $error) { + switch ($error->level) { |