[icinga-checkins] icinga.org: icinga-core/feature/url-cgi-path-6459: classic-ui: Fix CSRF protection in cmd.cgi matches only complied in URL #6459

git at icinga.org git at icinga.org
Thu Jun 12 00:31:57 CEST 2014


Module: icinga-core
Branch: feature/url-cgi-path-6459
Commit: b951c4d6a878aee51b49fe99fcc7b7448fc1bd75
URL:    https://git.icinga.org/?p=icinga-core.git;a=commit;h=b951c4d6a878aee51b49fe99fcc7b7448fc1bd75

Author: Ricardo Bartels <ricardo at bitchbrothers.com>
Date:   Thu Jun 12 00:29:16 2014 +0200

classic-ui: Fix CSRF protection in cmd.cgi matches only complied in URL #6459

fixed and tested. also visibl in config.cgi now.

refs: #6459

---

 Changelog                                            |    7 +++++++
 cgi/cgiutils.c                                       |    6 ++++--
 cgi/config.c                                         |    4 ++++
 sample-config/updates/cgi.cfg_added_1.11_to_1.12.cfg |   16 ++++++++++++++++
 4 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index 8a130e8..45b6eaf 100644
--- a/Changelog
+++ b/Changelog
@@ -20,6 +20,13 @@ NEWS
 
 * Mailinglists have been migrated to icinga.org. Please check https://www.icinga.org/support for details!
 
+1.11.5 - XX/XX/2014
+
+FIXES
+
+* classic ui: Fix CSRF protection in cmd.cgi matches only complied in URL #6459 - MF
+
+
 1.11.4 - 28/05/2014
 
 FIXES
diff --git a/cgi/cgiutils.c b/cgi/cgiutils.c
index 234fd18..5aa0b54 100644
--- a/cgi/cgiutils.c
+++ b/cgi/cgiutils.c
@@ -528,8 +528,8 @@ int read_cgi_config_file(char *filename) {
 			url_cgi_path[sizeof(url_cgi_path) - 1] = '\x0';
 
 			strip(url_cgi_path);
-			if (url_cgi_path[strlen(url_cgi_path) - 1] != '/' && (strlen(url_cgi_path) < sizeof(url_cgi_path) - 1))
-				strcat(url_cgi_path, "/");
+			if (url_cgi_path[strlen(url_cgi_path) - 1] == '/')
+				url_cgi_path[strlen(url_cgi_path) - 1] = '\x0';
 
 		}
 
@@ -830,6 +830,8 @@ int read_cgi_config_file(char *filename) {
 		snprintf(url_stylesheets_path, sizeof(url_stylesheets_path), "%sstylesheets/", url_html_path);
 		url_stylesheets_path[sizeof(url_stylesheets_path) - 1] = '\x0';
 	}
+
+	/* check if cgi path was set */
 	if (!strcmp(url_cgi_path, "")) {
 		snprintf(url_cgi_path, sizeof(url_cgi_path), "%s", DEFAULT_URL_CGIBIN_PATH);
 		url_cgi_path[sizeof(url_cgi_path) - 1] = '\x0';
diff --git a/cgi/config.c b/cgi/config.c
index a2c9c14..7bdde0c 100644
--- a/cgi/config.c
+++ b/cgi/config.c
@@ -92,6 +92,7 @@ extern char *service_warning_sound;
 extern char *splunk_url;
 extern char *statusmap_background_image;
 extern char url_html_path[MAX_FILENAME_LENGTH];
+extern char url_cgi_path[MAX_FILENAME_LENGTH];
 extern char url_logo_images_path[MAX_FILENAME_LENGTH];
 extern char url_stylesheets_path[MAX_FILENAME_LENGTH];
 
@@ -220,6 +221,7 @@ char *org_service_warning_sound = "";
 char *org_splunk_url = "";
 char *org_statusmap_background_image = "";
 char *org_url_html_path = "";
+char *org_url_cgi_path = "";
 char *org_url_stylesheets_path = "";
 
 int org_add_notif_num_hard;
@@ -4140,6 +4142,7 @@ void display_cgiconfig(void) {
 	PRINT_CONFIG_LINE_INT(tab_friendly_titles, org_tab_friendly_titles, "bool")
 	PRINT_CONFIG_LINE_INT(tac_show_only_hard_state, org_tac_show_only_hard_state, "bool")
 	PRINT_CONFIG_LINE_STRING(url_html_path, org_url_html_path)
+	PRINT_CONFIG_LINE_STRING(url_cgi_path, org_url_cgi_path)
 	PRINT_CONFIG_LINE_STRING(url_stylesheets_path, org_url_stylesheets_path)
 	PRINT_CONFIG_LINE_INT(use_authentication, org_use_authentication, "bool")
 	PRINT_CONFIG_LINE_INT(use_logging, org_use_logging, "bool")
@@ -4529,6 +4532,7 @@ void store_default_settings(void) {
 	org_splunk_url = strdup(splunk_url);
 	org_statusmap_background_image = strdup(statusmap_background_image);
 	org_url_html_path = strdup(url_html_path);
+	org_url_cgi_path = strdup(url_cgi_path);
 	org_url_stylesheets_path = strdup(url_stylesheets_path);
 
 	org_add_notif_num_hard = add_notif_num_hard;
diff --git a/sample-config/updates/cgi.cfg_added_1.11_to_1.12.cfg b/sample-config/updates/cgi.cfg_added_1.11_to_1.12.cfg
new file mode 100644
index 0000000..8e9064d
--- /dev/null
+++ b/sample-config/updates/cgi.cfg_added_1.11_to_1.12.cfg
@@ -0,0 +1,16 @@
+#################################################################
+# These are newly ADDED config options for CGI.CFG only.
+#
+# NOTE: Update your existing configuration with those new ones,
+#	if needed. You are advised to do so, in order to get the
+#	full Icinga experience!
+#################################################################
+
+# URL CGI PATH
+# This is the path portion of the URL that corresponds to the
+# physical location of the Icinga CGI files. It is evaluated by
+# the cmd.cgi CSRF protection.
+# This value should be changed if the CGI files are accessible
+# under a different path than the default installation path.
+
+#url_cgi_path=@htmurl@/cgi-bin



More information about the icinga-checkins mailing list