mattm 14/10/29 22:38:38 Added: zbx7479.patch zbx8151.patch Log: Major version bump 2.4.1, totally experimental, has not been tested. Package masked. Do not install unless you are using a non-production system and can contribute to improving gentoo support for 2.4 and comment on bug 524010. (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 786037A7)
Revision Changes Path 1.1 net-analyzer/zabbix/files/2.4/patches/zbx7479.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx7479.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx7479.patch?rev=1.1&content-type=text/plain Index: zbx7479.patch =================================================================== Index: src/libs/zbxsysinfo/sysinfo.c =================================================================== --- src/libs/zbxsysinfo/sysinfo.c (revision 40348) +++ src/libs/zbxsysinfo/sysinfo.c (working copy) @@ -427,13 +427,49 @@ test_aliases(); } +static int zbx_check_user_parameter(const char *param, char *error, int max_error_len) +{ + const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@\n", *c; + char *buf = NULL; + size_t buf_alloc = 128, buf_offset = 0; + + if (0 != CONFIG_UNSAFE_USER_PARAMETERS) + return SUCCEED; + + for (c = suppressed_chars; '\0' != *c; c++) + { + if (NULL == strchr(param, *c)) + continue; + + buf = zbx_malloc(buf, buf_alloc); + + for (c = suppressed_chars; '\0' != *c; c++) + { + if (c != suppressed_chars) + zbx_strcpy_alloc(&buf, &buf_alloc, &buf_offset, ", "); + + if (0 != isprint(*c)) + zbx_chrcpy_alloc(&buf, &buf_alloc, &buf_offset, *c); + else + zbx_snprintf_alloc(&buf, &buf_alloc, &buf_offset, "0x%02x", *c); + } + + zbx_snprintf(error, max_error_len, "special characters \"%s\" are not allowed in the parameters", buf); + + zbx_free(buf); + + return FAIL; + } + + return SUCCEED; +} + static int replace_param(const char *cmd, const char *param, char *out, int outlen, char *error, int max_error_len) { int ret = SUCCEED; char buf[MAX_STRING_LEN]; char command[MAX_STRING_LEN]; char *pl, *pr; - const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@", *c; assert(out); @@ -465,25 +501,10 @@ { get_param(param, (int)(pr[1] - '0'), buf, sizeof(buf)); - if (0 == CONFIG_UNSAFE_USER_PARAMETERS) - { - for (c = suppressed_chars; '\0' != *c; c++) - { - if (NULL != strchr(buf, *c)) - { - zbx_snprintf(error, max_error_len, "Special characters '%s'" - " are not allowed in the parameters", - suppressed_chars); - ret = FAIL; - break; - } - } - } + if (SUCCEED != (ret = zbx_check_user_parameter(buf, error, max_error_len))) + break; } - if (FAIL == ret) - break; - zbx_strlcat(out, buf, outlen); outlen -= MIN((int)strlen(buf), (int)outlen); 1.1 net-analyzer/zabbix/files/2.4/patches/zbx8151.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx8151.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx8151.patch?rev=1.1&content-type=text/plain Index: zbx8151.patch =================================================================== Index: frontends/php/include/defines.inc.php =================================================================== --- frontends/php/include/defines.inc.php (revision 46596) +++ frontends/php/include/defines.inc.php (revision 46655) @@ -835,6 +835,14 @@ define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts'); +// XML import flags +// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed +// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml +// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND +// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name - +// so this flag is not needed here. +define('LIBXML_IMPORT_FLAGS', LIBXML_NONET); + // API errors define('ZBX_API_ERROR_INTERNAL', 111); define('ZBX_API_ERROR_PARAMETERS', 100); Index: frontends/php/include/classes/import/readers/CXmlImportReader.php =================================================================== --- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596) +++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46655) @@ -32,7 +32,8 @@ */ public function read($string) { libxml_use_internal_errors(true); - $result = simplexml_load_string($string); + libxml_disable_entity_loader(true); + $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS); if (!$result) { $errors = libxml_get_errors(); libxml_clear_errors(); Index: frontends/php/include/classes/import/CXmlImport18.php =================================================================== --- frontends/php/include/classes/import/CXmlImport18.php (revision 46596) +++ frontends/php/include/classes/import/CXmlImport18.php (revision 46655) @@ -390,12 +390,13 @@ return $array; } - public static function import($file) { + public static function import($source) { libxml_use_internal_errors(true); + libxml_disable_entity_loader(true); $xml = new DOMDocument(); - if (!$xml->loadXML($file)) { + if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) { $text = ''; foreach (libxml_get_errors() as $error) { switch ($error->level) {
