This is a multi-part message in MIME format.
--------------090909050306080902030708
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
This patch implements basic in-form session tokens for cmd.cgi.
When a user is presented with the 'commit' button, a session
token consisting of a SHA1 hash made up of the users' name,
their source address and some few random numbers (seeded with
a very weak seed atm, but that can be fixed later). The session
data is stored on-disk in files named by the session ID, like so:
/tmp/.ncgi-form-session-tokens/
When we're about to write the command to Nagios, we check if
the user has a valid session before allowing the command to
go through. This ensures the user arrived at the command
submission page from a where he or she actively pressed the
"Commit" button.
Evil sites can still send unsuspecting Nagios admins to the
commit button, but unless that Nagios admin is thoroughly
stupid, he or she will not press it. Since we aren't guarding
against stupidity, this fix will do just fine.
Because form session tokens is a new invention in the world
of the Nagios CGI's, some users will have problems with it.
To facilitate the primary help channel (nagios-users@), we
tell the user (briefly) what went wrong when submitting a
command in case the form session token failed to validate.
Reported-by: Tim Starling
Signed-off-by: Andreas Ericsson
---
cgi/Makefile.in | 7 +-
cgi/cmd.c | 22 +++-
cgi/form_session.c | 432 ++++++++++++++++++++++++++++++++++++++++++++++++++++
cgi/form_session.h | 5 +
cgi/sha1.c | 151 ++++++++++++++++++
cgi/sha1.h | 50 ++++++
6 files changed, 664 insertions(+), 3 deletions(-)
create mode 100644 cgi/form_session.c
create mode 100644 cgi/form_session.h
create mode 100644 cgi/sha1.c
create mode 100644 cgi/sha1.h
--------------090909050306080902030708
Content-Type: text/x-patch;
name="0d0cc7c51a6306a95eed9a597ac9c538d2d1f41f.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="0d0cc7c51a6306a95eed9a597ac9c538d2d1f41f.diff"
diff --git a/cgi/Makefile.in b/cgi/Makefile.in
index 036065c..acdebe2 100644
--- a/cgi/Makefile.in
+++ b/cgi/Makefile.in
@@ -54,6 +54,9 @@ XDDH=@XDDH@
# Generated automatically from configure script
SNPRINTF_O=@SNPRINTF_O@
+# Anti-CSRF deps
+CSRFDEPS=sha1.o form_session.o extcmd_list.o
+
# Object functions
ODATALIBS=objects-cgi.o xobjects-cgi.o
ODATAHDRS=
@@ -130,8 +133,8 @@ avail.cgi: avail.c $(CGIDEPS)
checksanity.cgi: checksanity.c $(CGIDEPS) $(CDATADEPS) $(DDATADEPS)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ checksanity.c $(CGILIBS) $(CDATALIBS) $(DDATALIBS) $(LIBS)
-cmd.cgi: cmd.c $(CGIDEPS) $(CDATADEPS) $(DDATADEPS) extcmd_list.o
- $(CC) $(CFLAGS) $(LDFLAGS) -o $@ cmd.c extcmd_list.o $(CGILIBS) $(CDATALIBS) $(DDATALIBS) $(LIBS)
+cmd.cgi: cmd.c $(CGIDEPS) $(CDATADEPS) $(DDATADEPS) $(CSRFDEPS)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ cmd.c $(CSRFDEPS) $(CGILIBS) $(CDATALIBS) $(DDATALIBS) $(LIBS)
config.cgi: config.c $(CGIDEPS)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ config.c $(CGILIBS) $(LIBS)
diff --git a/cgi/cmd.c b/cgi/cmd.c
index 927eebf..3a9e76d 100644
--- a/cgi/cmd.c
+++ b/cgi/cmd.c
@@ -30,6 +30,7 @@
#include "../include/cgiutils.h"
#include "../include/cgiauth.h"
#include "../include/getcgi.h"
+#include "form_session.h"
extern const char *extcmd_get_name(int id);
@@ -54,7 +55,6 @@ extern comment *comment_list;
extern int date_format;
-
#define MAX_AUTHOR_LENGTH 64
#define MAX_COMMENT_LENGTH 1024
@@ -638,6 +638,13 @@ int process_cgivars(void){
/* we found the broadcast notification option */
else if(!strcmp(variables[x],"broadcast_notification"))
broadcast_notification=NOTIFICATION_OPTION_BROADCAST;
+ else if(!strcmp(variables[x],"ncgi_session_id")) {
+ if(variables[++x]==NULL) {
+ error=TRUE;
+ break;
+ }
+ ncgi_session_id = strdup(variables[x]);
+ }
}
@@ -655,6 +662,7 @@ void request_command_data(int cmd){
char buffer[MAX_INPUT_BUFFER];
contact *temp_contact;
scheduled_downtime *temp_downtime;
+ co
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]