Add additional security to the unserialize function #5245
Merged
netniV merged 20 commits intoCacti:1.2.xfrom Feb 24, 2023
TheWitness:1.2.x
Merged
Add additional security to the unserialize function #5245netniV merged 20 commits intoCacti:1.2.xfrom TheWitness:1.2.x
netniV merged 20 commits intoCacti:1.2.xfrom
TheWitness:1.2.x
Conversation
Member
TheWitness
commented
Feb 20, 2023
- This change will add additional security to prevent certain classes of exploits in Cacti's use of the unserialize() function.
- Additionally, adding an additional setting to dsv_log() to reduce the amount of logging during use of the tool to test data sources vs. poller operations.
Searching for Poller Items Generates SQL Errors
* On large systems statistics gathering at the beginning of a poller run lead to excessive polling times * It's important to remove all items from the poller_output table for the poller as it impacts the end of the previous poller * The other change here has to do with large databases where the poller_output memory table can get pushed into swap. * Moved statistics out of the internal loop, and made a few optimizations for the $totals query to perform better. * We only care about total_ports if the snmp_port is > 0
This is a compromise with regard to a possible issue with MariaDB 10.3 to only allow this via setting, and only allow for single poller systems. We will look to re-design this in a future Cacti release.
This test added multi-output values that return a NaN or 'U'.
Edit Graph Template link missing base_url.
Template Export missing Graph Template columns multiple and test_source
* This change will add additional security to prevent certain classes of exploits in Cacti's use of the unserialize function. * Additionally, adding an additional setting to dsv_log() to reduce the amount of logging during use of the tool to test data sources vs. poller operations.
* SNMP-Options - Bulk Walk Maximum Repetitions ignored during save * light PSR to remove tabs and replace with spaces.
"Balance Process Load" dont work after upgrade to 1.2.23
netniV
requested changes
Feb 22, 2023
* We still have references in the code to 'poller_lastrun' without the poller id. Set the legacy value if the poller_id is 1 * If the poller_interval equals the cron interval, you can still have to bypass the scalability enhancement if you largest data source profile is larger than the poller interval
netniV
approved these changes
Feb 24, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.