Bug#944282: stretch-pu: monit 1:5.20.0-6+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
I would like to make an upload to stable in order to fix bug
#941895 (CSRF check) in the monit package.
Package on mentors.d.n:
https://mentors.debian.net/package/monit
The full patch between this new package version and the version
1:5.20.0-6 currently in Stretch is attached.
diff -Nru monit-5.20.0/debian/changelog monit-5.20.0/debian/changelog
--- monit-5.20.0/debian/changelog 2017-01-11 16:48:27.000000000 +0300
+++ monit-5.20.0/debian/changelog 2019-10-09 15:47:31.000000000 +0300
@@ -1,3 +1,9 @@
+monit (1:5.20.0-6+deb9u1) stretch; urgency=medium
+
+ * Implement position independent CSRF cookie value (Closes: #941895).
+
+ -- Sergey B Kirpichev <skirpichev@gmail.com> Wed, 09 Oct 2019 15:47:31 +0300
+
monit (1:5.20.0-6) unstable; urgency=medium
* Fix regression from #849886, test monit.log existence (Closes: #850829)
diff -Nru monit-5.20.0/debian/patches/12_PID_CSRF.patch monit-5.20.0/debian/patches/12_PID_CSRF.patch
--- monit-5.20.0/debian/patches/12_PID_CSRF.patch 1970-01-01 03:00:00.000000000 +0300
+++ monit-5.20.0/debian/patches/12_PID_CSRF.patch 2019-10-09 15:47:31.000000000 +0300
@@ -0,0 +1,109 @@
+Origin: https://bitbucket.org/tildeslash/monit/commits/f9a9a7a92
+Description: Position independent CSRF cookie value
+Bug-Debian: https://bugs.debian.org/941895
+
+---
+ src/http/processor.c | 61 +++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 45 insertions(+), 16 deletions(-)
+
+--- a/src/http/processor.c
++++ b/src/http/processor.c
+@@ -258,7 +258,7 @@ void set_header(HttpResponse res, const
+ for (n = p = res->headers; p; n = p, p = p->next) {
+ if (IS(p->name, name)) {
+ FREE(p->value);
+- p->value = Str_dup(value);
++ p->value = Str_dup(h->value);
+ destroy_entry(h);
+ return;
+ }
+@@ -288,6 +288,7 @@ void set_status(HttpResponse res, int co
+ * @param mime Mime content type, e.g. text/html
+ */
+ void set_content_type(HttpResponse res, const char *mime) {
++ ASSERT(mime);
+ set_header(res, "Content-Type", "%s", mime);
+ }
+
+@@ -720,9 +721,11 @@ static void destroy_entry(void *p) {
+ /* ----------------------------------------------------- Checkers/Validators */
+
+
+-/**
+- * Do Basic Authentication if this auth. style is allowed.
+- */
++static boolean_t _isCookieSeparator(int c) {
++ return (c == ' ' || c == '\n' || c == ';' || c == ',');
++}
++
++
+ static boolean_t is_authenticated(HttpRequest req, HttpResponse res) {
+ if (Run.httpd.credentials) {
+ if (! basic_authenticate(req)) {
+@@ -734,28 +737,54 @@ static boolean_t is_authenticated(HttpRe
+ }
+ if (IS(req->method, METHOD_POST)) {
+ // Check CSRF double-submit cookie (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie)
+- const char *cookie = get_header(req, "Cookie");
+ const char *token = get_parameter(req, "securitytoken");
+- if (! cookie) {
+- LogError("HttpRequest: access denied -- client [%s]: missing CSRF token cookie\n", NVLSTR(Socket_getRemoteHost(req->S)));
+- send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token");
+- return false;
+- }
+ if (! token) {
+ LogError("HttpRequest: access denied -- client [%s]: missing CSRF token in HTTP parameter\n", NVLSTR(Socket_getRemoteHost(req->S)));
+ send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token");
+ return false;
+ }
+- if (! Str_startsWith(cookie, "securitytoken=")) {
+- LogError("HttpRequest: access denied -- client [%s]: no CSRF token in cookie\n", NVLSTR(Socket_getRemoteHost(req->S)));
++ const char *cookie = get_header(req, "Cookie");
++ if (! cookie) {
++ LogError("HttpRequest: access denied -- client [%s]: missing CSRF token cookie\n", NVLSTR(Socket_getRemoteHost(req->S)));
+ send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token");
+ return false;
+ }
+- if (Str_compareConstantTime(cookie + 14, token)) {
+- LogError("HttpRequest: access denied -- client [%s]: CSRF token mismatch\n", NVLSTR(Socket_getRemoteHost(req->S)));
+- send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token");
+- return false;
++ const char *cookieName = "securitytoken=";
++ for (int i = 0, j = 0; cookie[i]; i++) {
++ if (_isCookieSeparator(cookie[i])) {
++ // Cookie separator
++ j = 0;
++ continue;
++ }
++ if (j < 14) {
++ // Cookie name
++ if (cookie[i] == cookieName[j]) {
++ j++;
++ continue;
++ } else {
++ j = 0;
++ }
++ } else if (j == 14) {
++ // Cookie value
++ char cookieValue[STRLEN] = {};
++ strncpy(cookieValue, cookie + i, sizeof(cookieValue) - 1);
++ for (int k = 0; cookieValue[k]; k++) {
++ if (_isCookieSeparator(cookieValue[k])) {
++ cookieValue[k] = 0;
++ break;
++ }
++ }
++ if (Str_compareConstantTime(cookieValue, token)) {
++ LogError("HttpRequest: access denied -- client [%s]: CSRF token mismatch\n", NVLSTR(Socket_getRemoteHost(req->S)));
++ send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token");
++ return false;
++ }
++ return true;
++ }
+ }
++ LogError("HttpRequest: access denied -- client [%s]: no CSRF token in cookie\n", NVLSTR(Socket_getRemoteHost(req->S)));
++ send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token");
++ return false;
+ }
+ return true;
+ }
diff -Nru monit-5.20.0/debian/patches/series monit-5.20.0/debian/patches/series
--- monit-5.20.0/debian/patches/series 2017-01-11 16:48:27.000000000 +0300
+++ monit-5.20.0/debian/patches/series 2019-10-09 15:47:31.000000000 +0300
@@ -3,3 +3,4 @@
06_ssl.patch
07_cross.patch
11_enable_hurd.patch
+12_PID_CSRF.patch
Reply to: