From c42a2583f09d18d04327c15235ae5e7d7ab19eb0 Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Fri, 2 Aug 2019 13:22:36 +0200 Subject: [PATCH 1/2] Cluster sync: Only sync valid UTF8 content (text config, no binaries) - *.conf files are sanitized automatically. - Other files detect sanitizing and treat that as unsupported type refs #7382 --- lib/remote/apilistener-filesync.cpp | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/lib/remote/apilistener-filesync.cpp b/lib/remote/apilistener-filesync.cpp index 79fa55b55..4aa381c43 100644 --- a/lib/remote/apilistener-filesync.cpp +++ b/lib/remote/apilistener-filesync.cpp @@ -794,12 +794,29 @@ void ApiListener::ConfigGlobHandler(ConfigDirInformation& config, const String& * * **Keep this intact to stay compatible with older clients.** */ - if (Utility::Match("*.conf", file)) + String sanitizedContent = Utility::ValidateUTF8(content); + + if (Utility::Match("*.conf", file)) { update = config.UpdateV1; - else + + // Configuration files should be automatically sanitized with UTF8. + update->Set(relativePath, sanitizedContent); + } else { update = config.UpdateV2; - update->Set(relativePath, content); + /* + * Ensure that only valid UTF8 content is being read for the cluster config sync. + * Binary files are not supported when wrapped into JSON encoded messages. + * Rationale: https://github.com/Icinga/icinga2/issues/7382 + */ + if (content != sanitizedContent) { + Log(LogCritical, "ApiListener") + << "Ignoring file '" << file << "' for cluster config sync: Does not contain valid UTF8. Binary files are not supported."; + return; + } + + update->Set(relativePath, content); + } /* Calculate a checksum for each file (and a global one later). * From 20266cd1b1c5729ebe4069bd089f96dc83b3568f Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Fri, 2 Aug 2019 16:06:36 +0200 Subject: [PATCH 2/2] Docs: Add config sync restrictions to upgrading docs --- doc/16-upgrading-icinga-2.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/doc/16-upgrading-icinga-2.md b/doc/16-upgrading-icinga-2.md index 08e66aed4..e73d5e5bf 100644 --- a/doc/16-upgrading-icinga-2.md +++ b/doc/16-upgrading-icinga-2.md @@ -172,6 +172,15 @@ Since the config sync change detection now uses checksums, this may fail with anything else than syncing configuration text files. Syncing binary files were never supported, but rumors say that some users do so. +This is now prohibited and logged. + +``` +[2019-08-02 16:03:19 +0200] critical/ApiListener: Ignoring file '/etc/icinga2/zones.d/global-templates/forbidden.exe' for cluster config sync: Does not contain valid UTF8. Binary files are not supported. +Context: + (0) Creating config update for file '/etc/icinga2/zones.d/global-templates/forbidden.exe' + (1) Activating object 'api' of type 'ApiListener' +``` + Such binaries wrapped into JSON-RPC cluster messages may always cause changes and trigger reload loops. In order to prevent such harm in production, use infrastructure tools such as Foreman, Puppet, Ansible, etc. to install