Bug 1160867 - AUDIT-FIND: cacti: remove api_plugin_hook_function to prevent plugins from injecting commands
AUDIT-FIND: cacti: remove api_plugin_hook_function to prevent plugins from in...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
unspecified
Other Other
: P5 - None : Enhancement
: ---
Assigned To: Lars Vogdt
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-14 09:41 UTC by Johannes Segitz
Modified: 2020-04-11 13:38 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2020-01-14 09:41:38 UTC
+++ This bug was initially created as a clone of Bug #1150534 +++

Upstream agreed to remove the potentially dangerous api_plugin_hook_function in poller.php
575 $extra_args = api_plugin_hook_function('poller_command_args', $extra_args);
see
https://github.com/Cacti/cacti/issues/3177

We should also do this in Factory, either by carrying a patch or taking the current version.
Comment 1 Matthias Gerstner 2020-02-28 12:00:56 UTC
Removing block towards the parent AUDIT bug so we can continue cleaning up the cron job bugs.

Please take care of this bug, too, however!
Comment 2 Andreas Stieger 2020-04-11 13:34:01 UTC
maintainers seem inactive, see bug 1164675 and bug 1169215
Comment 3 Andreas Stieger 2020-04-11 13:36:45 UTC
David is inactive (e-mail bounces)
Comment 4 Andreas Stieger 2020-04-11 13:38:20 UTC
https://github.com/Cacti/cacti/commit/7bae47230fd9d4a1aa602421a391489438fa6af2
in release 1.2.9, which is in Factory and Leap 15.1. Closing