Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

fix(security): fix vulnerability for file loading #7227

Merged
merged 33 commits into from
Mar 22, 2019
Merged

fix(security): fix vulnerability for file loading #7227

merged 33 commits into from
Mar 22, 2019

Conversation

victorvassilev
Copy link
Contributor

@victorvassilev victorvassilev commented Feb 26, 2019
edited by miteto
Loading

Disallow inclusion of files from incorrect folders in broker performance.
Resolves: MON-3312

Description

Disallow remote file inclusion, outside of the proper folder

Fixes # 3312

Type of change

  • Patch fixing an issue (non-breaking change)

Target serie

  • 18.10.x

How this pull request can be tested ?

This refers to #7101

@victorvassilev
fix(security): fix vulnearability for file loading
8af1013 
Disallow inclusion of files from incorrect folders in broker performance.
Resolves: MON-3312
@victorvassilev victorvassilev mentioned this pull request Feb 26, 2019
Closed
@sc979 sc979 changed the title fix(security): fix vulnearability for file loading fix(security): fix vulnerability for file loading Feb 26, 2019
@miteto miteto self-requested a review February 26, 2019 10:16
@loiclau
feat(clapi) add acknowledgement in clapi
26e5e7f 
* add acknowledgement by clapi
* add doc
* add acceptance
miteto and others added 17 commits February 28, 2019 14:52
@miteto
fix(deadCode): removing file unused since a previous major release (#…
3b2b1d1 
…7229)
@lpinsivy
enh(doc): improved English documentation, thanks to jefestyler (#7238)
b764df4
@lpinsivy
fix(doc): add entry in toc and correct table format
25e5615
@lpinsivy
Doc improve install chapters (#7239)
6e95387 
* fix(doc): readd quickstart shortlink
* enh(doc): add configuration of proxy in post installation
@kduret
fix(front): manage properly session expiration + avoid login inception (
a7ec3f4 
#7202)
@kduret
fix(sec): allow to set illegal characters for centcore (#7206)
5b329e1 
* fix(sec): allow to set illegal characters for centcore

* add french translation for centcore illegal characters

* update properly centcore parameter in database

* move upgrade script
@sc979
fix(secu): rce vulnerability when using command's testing feature (#7232
14ec44c 
)

* fix(secu): Authenticated RCE in minPlayCommand.php
Concatenation of unsanitized command_hostaddress GET parameter to shell_exec leads to remote code execution.

* fix: rce vulnerability when using testing feature
* release note for 19.04.0
* style(PSR2)
@sc979
enh(CI): fixing UTF warnings
dfb7d9d
@loiclau
feat(API) API to Get/Set/Export/Import Command Arg Descriptions
8af3989
@loiclau
feat(API) Add showinstance CLAPI command to Host (#7199)
0119555
@lpinsivy
enh(doc): Improved disk space calculation table
bcee00b
@lpinsivy
enh(doc): add workbook to calculate the size of the platform
eb69fe8
@adr-mo
doc(release notes): Add missing release notes from 2.8.x
09dc98f
@lpinsivy
enh(doc): improve poller configuration
da8c109 
Conflicts:
	doc/en/administration_guide/poller/wizard_add_poller.rst
@lpinsivy
Merge branch '18.10.x' of https://github.com/centreon/centreon into 1…
0a07469 
…8.10.x
@lpinsivy
enh(doc): Add custom code description for SNMP trap
cd4eb50
@lpinsivy
fix(doc): Remove 2.5 description in trap documentation
4a84a28
lpinsivy and others added 13 commits March 6, 2019 09:04
@lpinsivy
enh(doc): add order of achievement of actions by the centreontrapd pr…
f333169 
…ocess
@lpinsivy
fix(doc): correct location of database conf for trap on poller - ref #…
7318b9e 
…7011
@lpinsivy
fix(doc): correct typo
579ee55
@lpinsivy
fix(doc): remove unsued image
1dcf07d
@s-duret @lpinsivy
fix(doc): enable services after remote server installation (#7027)
c07e2b9 
* fix(doc): enable services after remote server installation
* fix(doc): add enable_services.rst
@Pilow974 @lpinsivy
enh(doc): Update upgradetoCentreon18.10.rst (#6934)
9cdaf21 
Update FR & EN chapter to manage MySQL migration from Centreon 3.4.x to Centreon 18.10.x
@lpinsivy
fix(doc): describe directory of XML files for partitioning
211bb43
@EdytaSki
enh(ui) : indent third level menu (#7251)
cc82e41
@sc979
enh(DT): fix search filter for recurrent downtimes (#7201)
76c584c
@sc979
Mon 3112 fix source install (#7160)
076bc45 
* fix(install): fix installation from sources on 18.10.x
@victorvassilev
fix(security): fix vulnearability for file loading
76bd181 
Disallow inclusion of files from incorrect folders in broker performance.
Resolves: MON-3312
@sc979 @victorvassilev
style: psr2
64f7e20
@victorvassilev
Merge branch 'mon-3312-vulnerability-fix' of https://github.com/centr…
d431785 
…eon/centreon into mon-3312-vulnerability-fix
@victorvassilev victorvassilev merged commit 1de4a4a into 18.10.x Mar 22, 2019
@victorvassilev victorvassilev deleted the mon-3312-vulnerability-fix branch March 22, 2019 08:41
lpinsivy pushed a commit that referenced this pull request Jul 15, 2020
@victorvassilev @lpinsivy
fix(security): fix vulnerability for file loading (#7227)
e6f7d6e
@lpinsivy lpinsivy mentioned this pull request Jul 15, 2020
Merged
13 tasks
lpinsivy added a commit that referenced this pull request Jul 16, 2020
@lpinsivy
fix(security): fix vulnerability for file loading (#7227) (#8847)
7c218d2 
* fix(security): fix vulnerability for file loading (#7227)
* fix(code): fix PSR2
* fix(code): correct variable name
Co-authored-by: victorvassilev <acedweb@gmail.com>
lpinsivy added a commit that referenced this pull request Jul 16, 2020
@lpinsivy
fix(security): fix vulnerability for file loading (#7227) (#8847)
d76d11c 
* fix(security): fix vulnerability for file loading (#7227)
* fix(code): fix PSR2
* fix(code): correct variable name
Co-authored-by: victorvassilev <acedweb@gmail.com>
lpinsivy added a commit that referenced this pull request Jul 16, 2020
@lpinsivy
fix(security): fix vulnerability for file loading (#7227) (#8847)
9f76e8c 
* fix(security): fix vulnerability for file loading (#7227)
* fix(code): fix PSR2
* fix(code): correct variable name
Co-authored-by: victorvassilev <acedweb@gmail.com>
lpinsivy added a commit that referenced this pull request Jul 16, 2020
@lpinsivy
fix(security): fix vulnerability for file loading (#7227) (#8847)
385c048 
* fix(security): fix vulnerability for file loading (#7227)
* fix(code): fix PSR2
* fix(code): correct variable name
Co-authored-by: victorvassilev <acedweb@gmail.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sc979 sc979 sc979 approved these changes

@vhr vhr vhr approved these changes

@miteto miteto miteto approved these changes

@kduret kduret Awaiting requested review from kduret

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.