tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8828 from Icinga/bugfix/execute-command-origin-check 

event::ExecuteCommand: add missing origin check
This commit is contained in:
Alexander Aleksandrovič Klimov 2021-06-29 18:08:07 +02:00 committed by GitHub
parent 692f5aa615 8f585bd2ee
commit 31f97d3e6a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
lib/icinga/clusterevents.cpp
View File

@ -736,6 +736,31 @@ Value ClusterEvents::ExecuteCommandAPIHandler(const MessageOrigin::Ptr& origin,
if (!listener)
return Empty;
if (!origin->IsLocal()) {
Endpoint::Ptr endpoint = origin->FromClient->GetEndpoint();
/* Discard messages from anonymous clients */
if (!endpoint) {
Log(LogNotice, "ClusterEvents") << "Discarding 'execute command' message from '"
<< origin->FromClient->GetIdentity() << "': Invalid endpoint origin (client not allowed).";
return Empty;
}
Zone::Ptr originZone = endpoint->GetZone();
Zone::Ptr localZone = Zone::GetLocalZone();
bool fromLocalZone = originZone == localZone;
Zone::Ptr parentZone = localZone->GetParent();
bool fromParentZone = parentZone && originZone == parentZone;
if (!fromLocalZone && !fromParentZone) {
Log(LogNotice, "ClusterEvents") << "Discarding 'execute command' message from '"
<< origin->FromClient->GetIdentity() << "': Unauthorized access.";
return Empty;
}
}
if (params->Contains("endpoint")) {
Endpoint::Ptr execEndpoint = Endpoint::GetByName(params->Get("endpoint"));