We use cookies to ensure that we give you the best experience on our website.  Visit our Privacy Policy to learn more. If you continue to use this site, we will assume that you are okay with it.

Your choices regarding cookies on this site.
Your preferences have been updated.
In order for the changes to take effect completely please clear your browser cookies and cache. Then reload the page.

Werk #1500: Preventing livestatus injections in different places

TitlePreventing livestatus injections in different places
Date2014-11-12 15:33:12
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version1.2.6b1
LevelProminent Change
ClassSecurity Fix
CompatibilityCompatible - no manual interaction needed

In some places strings provided by the users, e.g. by filling values into a form, are used to construct livestatus queries. This is, for example, done when filtering views or executing commands. Previous versions were directly using the strings provided by the user without escaping or filtering characters which could lead into some trouble. This has been fixed now. The strings provided by the user are now filtered before using them in livestatus queries. For the moment the only implemented action is to remove all newline (\n) characters from the values to prevent injections of non intended livestatus queries / commands.