tyler.durden/loganalyzer
1
0
Fork 0
mirror of https://github.com/rsyslog/loganalyzer.git synced 2025-09-25 18:59:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed arbitrary file read issue in Disk LogStream class.

Browse Source 
The config.php file does now contain an array "DiskAllowed" which contains
allowed directories. Only files located within these allowed directories can be
accessed in LogAnalyzer. By default, only /var/log is allowed.
This commit is contained in:
Andre Lorbach 2012-05-22 15:50:49 +02:00
parent a0ffd04bfb
commit 185998a219
6 changed files with 58 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/classes/logstreamdisk.class.php
View File

@ -117,6 +117,29 @@ class LogStreamDisk extends LogStream {
* @return integer Error state * @return integer Error state
*/ */
public function Verify() { public function Verify() {
global $content;
// --- Check if Filename is within allowed directories!
$szFileDirName = dirname($this->_logStreamConfigObj->FileName);
$bIsAllowedDir = false;
foreach($content['DiskAllowed'] as $szAllowedDir)
{
if ( strpos($szAllowedDir, $szFileDirName) !== FALSE )
{
$bIsAllowedDir = true;
break;
}
}
if ( !$bIsAllowedDir )
{
global $extraErrorDescription;
$extraErrorDescription = GetAndReplaceLangStr( $content['LN_ERROR_PATH_NOT_ALLOWED_EXTRA'], $this->_logStreamConfigObj->FileName, implode(", ", $content['DiskAllowed']) );
return ERROR_PATH_NOT_ALLOWED;
}
// ---
// Check if file exists! // Check if file exists!
if(!file_exists($this->_logStreamConfigObj->FileName)) { if(!file_exists($this->_logStreamConfigObj->FileName)) {

4
src/include/config.sample.php
View File

@ -125,6 +125,10 @@ $CFG['Charts'][] = array ( "DisplayName" => "Severity Occurences", "chart_type"
$CFG['Charts'][] = array ( "DisplayName" => "Usage by Day", "chart_type" => CHART_CAKE, "chart_width" => 400, "chart_field" => SYSLOG_DATE, "maxrecords" => 10, "showpercent" => 1, "chart_enabled" => 1 ); $CFG['Charts'][] = array ( "DisplayName" => "Usage by Day", "chart_type" => CHART_CAKE, "chart_width" => 400, "chart_field" => SYSLOG_DATE, "maxrecords" => 10, "showpercent" => 1, "chart_enabled" => 1 );
// --- // ---
// --- Configure allowed directories for File base logstream sources
$CFG['DiskAllowed'][] = "/var/log/";
// ---
// --- Source Options // --- Source Options
/* Example for DiskType Source: /* Example for DiskType Source:
$CFG['Sources']['Source1']['ID'] = "Source1"; $CFG['Sources']['Source1']['ID'] = "Source1";

1
src/include/constants_errors.php
View File

@ -78,5 +78,6 @@ define('ERROR_DB_TRIGGERFAILED', 29);
define('ERROR_DB_CHECKSUMERROR', 30); define('ERROR_DB_CHECKSUMERROR', 30);
define('ERROR_DB_CHECKSUMCHANGEFAILED', 31); define('ERROR_DB_CHECKSUMCHANGEFAILED', 31);
define('ERROR_DB_ADDDBFIELDFAILED', 32); define('ERROR_DB_ADDDBFIELDFAILED', 32);
define('ERROR_PATH_NOT_ALLOWED', 33);
?> ?>

10
src/include/functions_common.php
View File

@ -66,7 +66,7 @@ $LANG_EN = "en"; // Used for fallback
$LANG = "en"; // Default language $LANG = "en"; // Default language
// Default Template vars // Default Template vars
$content['BUILDNUMBER'] = "3.4.1"; $content['BUILDNUMBER'] = "3.4.3";
$content['UPDATEURL'] = "http://loganalyzer.adiscon.com/files/version.txt"; $content['UPDATEURL'] = "http://loganalyzer.adiscon.com/files/version.txt";
$content['TITLE'] = "Adiscon LogAnalyzer :: Release " . $content['BUILDNUMBER']; // Default page title $content['TITLE'] = "Adiscon LogAnalyzer :: Release " . $content['BUILDNUMBER']; // Default page title
$content['BASEPATH'] = $gl_root_path; $content['BASEPATH'] = $gl_root_path;
@ -199,6 +199,10 @@ function InitPhpLogCon()
InitPhpDebugMode(); InitPhpDebugMode();
// --- // ---
// --- Init Allowed directories for DiskSources
InitDiskAllowedSources();
// ---
// --- Check and Remove Magic Quotes! // --- Check and Remove Magic Quotes!
RemoveMagicQuotes(); RemoveMagicQuotes();
// --- // ---
@ -1911,16 +1915,16 @@ function GetErrorMessage($errorCode)
return $content['LN_ERROR_DB_TABLENOTFOUND']; return $content['LN_ERROR_DB_TABLENOTFOUND'];
case ERROR_DB_DBFIELDNOTFOUND: case ERROR_DB_DBFIELDNOTFOUND:
return $content['LN_ERROR_DB_DBFIELDNOTFOUND']; return $content['LN_ERROR_DB_DBFIELDNOTFOUND'];
case ERROR_CHARTS_NOTCONFIGURED: case ERROR_CHARTS_NOTCONFIGURED:
return $content['LN_ERROR_CHARTS_NOTCONFIGURED']; return $content['LN_ERROR_CHARTS_NOTCONFIGURED'];
case ERROR_FILE_NOMORETIME: case ERROR_FILE_NOMORETIME:
return $content['LN_ERROR_FILE_NOMORETIME']; return $content['LN_ERROR_FILE_NOMORETIME'];
case ERROR_SOURCENOTFOUND: case ERROR_SOURCENOTFOUND:
return $content['LN_GEN_ERROR_SOURCENOTFOUND']; return $content['LN_GEN_ERROR_SOURCENOTFOUND'];
case ERROR_REPORT_NODATA: case ERROR_REPORT_NODATA:
return $content['LN_GEN_ERROR_REPORT_NODATA']; return $content['LN_GEN_ERROR_REPORT_NODATA'];
case ERROR_PATH_NOT_ALLOWED:
return $content['LN_ERROR_PATH_NOT_ALLOWED'];
default: default:
return GetAndReplaceLangStr( $content['LN_ERROR_UNKNOWN'], $errorCode ); return GetAndReplaceLangStr( $content['LN_ERROR_UNKNOWN'], $errorCode );

21
src/include/functions_config.php
View File

@ -614,6 +614,27 @@ function InitPhpLogConConfigFile($bHandleMissing = true)
} }
/*
* Helper function to load configured dbmappings from the database
*/
function InitDiskAllowedSources()
{
global $CFG, $content;
// Init Source Configs!
if ( isset($CFG['DiskAllowed']) )
{
// Copy Array to content array
$content['DiskAllowed'] = $CFG['DiskAllowed'];
}
else
{
// Set default
$content['DiskAllowed'][] = "/var/log/";
}
}
/* /*
* Helper function to load configured dbmappings from the database * Helper function to load configured dbmappings from the database
*/ */

2
src/lang/en/main.php
View File

@ -355,6 +355,8 @@ $content['LN_REPORT_FILTERTYPE_STRING'] = "String";
$content['LN_GEN_SUCCESS_WHILEREPORTGEN'] = "Report was successfully generated"; $content['LN_GEN_SUCCESS_WHILEREPORTGEN'] = "Report was successfully generated";
$content['LN_GEN_ERROR_REPORTFAILEDTOGENERATE'] = "Failed to generate report, error details: %1"; $content['LN_GEN_ERROR_REPORTFAILEDTOGENERATE'] = "Failed to generate report, error details: %1";
$content['LN_GEN_SUCCESS_REPORTWASGENERATED_DETAILS'] = "Successfully generated report: %1"; $content['LN_GEN_SUCCESS_REPORTWASGENERATED_DETAILS'] = "Successfully generated report: %1";
$content['LN_ERROR_PATH_NOT_ALLOWED'] = "The file is not located in the allowed directories list (By default /var/log is allowed only).";
$content['LN_ERROR_PATH_NOT_ALLOWED_EXTRA'] = "The file '%1' is not located in one of these directories: '%2'";
$content['LN_CMD_RUNREPORT'] = "Generating saved report '%1'"; $content['LN_CMD_RUNREPORT'] = "Generating saved report '%1'";
$content['LN_CMD_REPORTIDNOTFOUND'] = "Invalid Report ID '%1'"; $content['LN_CMD_REPORTIDNOTFOUND'] = "Invalid Report ID '%1'";