Closed icinga-migration closed 10 years ago
Updated by steppenwolf on 2014-06-04 17:52:47 +00:00
Updated by steppenwolf on 2014-06-04 17:55:27 +00:00
Ugh, sorry for the bad formatting of the config snippets
Updated by mfriedrich on 2014-06-04 18:11:30 +00:00
Seems #4390 was never documented. I've initially added such a config option at implementation stage being fully aware of the possible exposure of these values.
I'd rather move this issue to 1.x docs and allow the documentation being fixed. Meanwhile you can open the cgi.cfg and add the required exclusions by yourself.
Updated by steppenwolf on 2014-06-04 18:40:28 +00:00
exclude_customvar_name=*
I'd rather keep all hidden.
Thanks
Updated by mfriedrich on 2014-06-04 18:58:12 +00:00
Updated by Wolfgang on 2014-06-04 20:30:11 +00:00
Attached two git formatted patches containing the changes against next.
Updated by mfriedrich on 2014-07-19 13:37:57 +00:00
This issue has been migrated from Redmine: https://dev.icinga.com/issues/6409
Created by steppenwolf on 2014-06-04 17:52:11 +00:00
Assignee: Wolfgang Status: Closed (closed on 2014-07-19 13:37:57 +00:00) Target Version: 1.12 Last Update: 2014-07-19 13:37:57 +00:00 (in Redmine)
The content of custom variables (vars.*) appears on the host or service details (classicUI).
This is a welcome feature, but it is buggy/incomplete.
All vars.* get expanded unconditionally on the webinterface, sensitive and unsensitive data alike.
This information leak is unacceptable in a production environment.
I have attached a screenshot of the vars.* expansion, where a workaround also appears: vars are not expanded twice.
These are the command and service definitions that generated this:
/etc/icinga2/conf.d/hosts/localhost/http.conf:
object Service "http" { import "generic-service"
host_name = "localhost" check_command = "http2" vars.sla = "24x7" vars.httpuser = DummyUser vars.httppass = DummyPass vars.httpuri = "/icinga/" vars.htthost = "$address$" }
/etc/icinga2/conf.d/commands.conf:
object CheckCommand "http2" { import "plugin-check-command"
command = PluginDir + "/check_http"
arguments = { "-H" = "$htthost$", "-a" = "$httpuser$:$httppass$", "-u" = "$httpuri$" } }
/etc/icinga2/conf.d/hosts/localhost.conf
object Host "localhost" { import "generic-host"
address = "127.0.0.1" address6 = "::1"
vars.sla = "24x7" }
Attachments