tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix HTTP handlers 

refs #9768
This commit is contained in:
Gunnar Beutner 2015-07-29 13:39:58 +02:00
parent 2414dee602
commit f74148f157
6 changed files with 30 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/remote/configfileshandler.cpp
View File

@ -55,15 +55,15 @@ void ConfigFilesHandler::HandleGet(const ApiUser::Ptr& user, HttpRequest& reques
params->Set("path", boost::algorithm::join(tmpPath, "/"));
}
String moduleName = params->Get("module");
String stageName = params->Get("stage");
String moduleName = HttpUtility::GetLastParameter(params, "module");
String stageName = HttpUtility::GetLastParameter(params, "stage");
if (!ConfigModuleUtility::ValidateName(moduleName) || !ConfigModuleUtility::ValidateName(stageName)) {
response.SetStatus(403, "Forbidden");
return;
}
String relativePath = params->Get("path");
String relativePath = HttpUtility::GetLastParameter(params, "path");
if (ConfigModuleUtility::ContainsDotDot(relativePath)) {
response.SetStatus(403, "Forbidden");

4
lib/remote/configmoduleshandler.cpp
View File

@ -71,7 +71,7 @@ void ConfigModulesHandler::HandlePost(const ApiUser::Ptr& user, HttpRequest& req
if (request.RequestUrl->GetPath().size() >= 4)
params->Set("module", request.RequestUrl->GetPath()[3]);
String moduleName = params->Get("module");
String moduleName = HttpUtility::GetLastParameter(params, "module");
if (!ConfigModuleUtility::ValidateName(moduleName)) {
response.SetStatus(403, "Forbidden");
@ -111,7 +111,7 @@ void ConfigModulesHandler::HandleDelete(const ApiUser::Ptr& user, HttpRequest& r
if (request.RequestUrl->GetPath().size() >= 4)
params->Set("module", request.RequestUrl->GetPath()[3]);
String moduleName = params->Get("module");
String moduleName = HttpUtility::GetLastParameter(params, "module");
if (!ConfigModuleUtility::ValidateName(moduleName)) {
response.SetStatus(403, "Forbidden");

10
lib/remote/configstageshandler.cpp
View File

@ -55,8 +55,8 @@ void ConfigStagesHandler::HandleGet(const ApiUser::Ptr& user, HttpRequest& reque
if (request.RequestUrl->GetPath().size() >= 5)
params->Set("stage", request.RequestUrl->GetPath()[4]);
String moduleName = params->Get("module");
String stageName = params->Get("stage");
String moduleName = HttpUtility::GetLastParameter(params, "module");
String stageName = HttpUtility::GetLastParameter(params, "stage");
if (!ConfigModuleUtility::ValidateName(moduleName) || !ConfigModuleUtility::ValidateName(stageName)) {
response.SetStatus(403, "Forbidden");
@ -91,7 +91,7 @@ void ConfigStagesHandler::HandlePost(const ApiUser::Ptr& user, HttpRequest& requ
if (request.RequestUrl->GetPath().size() >= 4)
params->Set("module", request.RequestUrl->GetPath()[3]);
String moduleName = params->Get("module");
String moduleName = HttpUtility::GetLastParameter(params, "module");
if (!ConfigModuleUtility::ValidateName(moduleName)) {
response.SetStatus(403, "Forbidden");
@ -144,8 +144,8 @@ void ConfigStagesHandler::HandleDelete(const ApiUser::Ptr& user, HttpRequest& re
if (request.RequestUrl->GetPath().size() >= 5)
params->Set("stage", request.RequestUrl->GetPath()[4]);
String moduleName = params->Get("module");
String stageName = params->Get("stage");
String moduleName = HttpUtility::GetLastParameter(params, "module");
String stageName = HttpUtility::GetLastParameter(params, "stage");
if (!ConfigModuleUtility::ValidateName(moduleName) || !ConfigModuleUtility::ValidateName(stageName)) {
response.SetStatus(403, "Forbidden");

8
lib/remote/filterutility.cpp
View File

@ -18,10 +18,12 @@
******************************************************************************/
#include "remote/filterutility.hpp"
#include "remote/httputility.hpp"
#include "config/configcompiler.hpp"
#include "config/expression.hpp"
#include "base/json.hpp"
#include "base/dynamictype.hpp"
#include "base/logger.hpp"
#include <boost/foreach.hpp>
#include <boost/algorithm/string.hpp>
@ -99,8 +101,10 @@ std::vector<DynamicObject::Ptr> FilterUtility::GetFilterTargets(const QueryDescr
if (!query->Contains("type"))
BOOST_THROW_EXCEPTION(std::invalid_argument("Type must be specified when using a filter."));
String filter = query->Get("filter");
String type = query->Get("type");
String filter = HttpUtility::GetLastParameter(query, "filter");
String type = HttpUtility::GetLastParameter(query, "type");
Log(LogInformation, "FilterUtility", filter);
Type::Ptr utype = Type::GetByName(type);

13
lib/remote/httputility.cpp
View File

@ -56,4 +56,17 @@ void HttpUtility::SendJsonBody(HttpResponse& response, const Value& val)
response.WriteBody(body.CStr(), body.GetLength());
}
String HttpUtility::GetLastParameter(const Dictionary::Ptr& params, const String& key)
{
Value varr = params->Get(key);
if (!varr.IsObjectType<Array>())
return varr;
Array::Ptr arr = varr;
if (arr->GetLength() == 0)
return String();
else
return arr->Get(arr->GetLength() - 1);
}

1
lib/remote/httputility.hpp
View File

@ -38,6 +38,7 @@ class I2_REMOTE_API HttpUtility
public:
static Dictionary::Ptr FetchRequestParameters(HttpRequest& request);
static void SendJsonBody(HttpResponse& response, const Value& val);
static String GetLastParameter(const Dictionary::Ptr& params, const String& key);
};
}