MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge branch '2.4' of github.com:MISP/MISP into 2.4

pull/5705/head
iglocska 2020-03-09 10:36:22 +01:00
parent 23f1c9f51d 83542716e5
commit 8c7bef419d
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
12 changed files with 74 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/Controller/AppController.php
View File

@ -136,6 +136,7 @@ class AppController extends Controller
$this->_stop();
}
}
$this->response->header('X-XSS-Protection', '1; mode=block');
if (!empty($this->params['named']['sql'])) {
$this->sql_dump = intval($this->params['named']['sql']);

26
app/Controller/UsersController.php
View File

@ -209,11 +209,16 @@ class UsersController extends AppController
}
}
if ($abortPost) {
return $this->RestResponse->saveFailResponse('Users', 'edit', $id, $message, $this->response->type());
} else {
$this->Flash->error($message);
$this->request->data['User']['password'] = '';
$this->request->data['User']['confirm_password'] = '';
if ($this->_isRest()) {
return $this->RestResponse->saveFailResponse('Users', 'edit', $id, $message, $this->response->type());
} else {
$this->Flash->error($message);
}
}
} else {
$this->User->data = $currentUser;
$this->User->set('password', '');
$this->request->data = $this->User->data;
}
@ -261,6 +266,11 @@ class UsersController extends AppController
$this->Flash->info($message);
}
}
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['password']);
if ($hashed) {
$message = __('Submitted new password cannot be the same as the current one');
$abortPost = true;
}
if (!$abortPost) {
// What fields should be saved (allowed to be saved)
$user['User']['change_pw'] = 0;
@ -288,6 +298,8 @@ class UsersController extends AppController
}
$this->Flash->error($message);
}
} else {
$this->Flash->error($message);
}
}
if ($this->_isRest()) {
@ -1097,6 +1109,7 @@ class UsersController extends AppController
),
'recursive' => -1
));
$lastUserLogin = $user['User']['last_login'];
unset($user['User']['password']);
$user['User']['action'] = 'login';
$user['User']['last_login'] = $this->Auth->user('current_login');
@ -1106,6 +1119,10 @@ class UsersController extends AppController
$this->User->saveField('password', $passwordToSave);
}
$this->User->Behaviors->enable('SysLogLogable.SysLogLogable');
if ($lastUserLogin) {
$readableDatetime = (new DateTime())->setTimestamp($lastUserLogin)->format(DateTimeInterface::RFC822);
$this->Flash->info(sprintf('Welcome! Last login was on %s', $readableDatetime));
}
// no state changes are ever done via GET requests, so it is safe to return to the original page:
$this->redirect($this->Auth->redirectUrl());
// $this->redirect(array('controller' => 'events', 'action' => 'index'));
@ -1235,6 +1252,9 @@ class UsersController extends AppController
if (!$this->_isAdmin() && Configure::read('MISP.disableUserSelfManagement')) {
throw new MethodNotAllowedException('User self-management has been disabled on this instance.');
}
if (!$this->request->is('post') && !$this->request->is('put')) {
throw new MethodNotAllowedException(__('This functionality is only accessible via POST requests.'));
}
if ($id == 'me') {
$id = $this->Auth->user('id');
}

23
app/Model/Attribute.php
View File

@ -1555,9 +1555,28 @@ class Attribute extends AppModel
break;
case 'ip-dst|port':
case 'ip-src|port':
if (strpos($value, ':')) {
if (substr_count($value, ':') >= 2) { // (ipv6|port) - tokenize ip and port
if (strpos($value, '|')) { // 2001:db8::1|80
$parts = explode('|', $value);
} elseif (strpos($value, '[') === 0 && strpos($value, ']') !== false) { // [2001:db8::1]:80
$ipv6 = substr($value, 1, strpos($value, ']')-1);
$port = explode(':', substr($value, strpos($value, ']')))[1];
$parts = array($ipv6, $port);
} elseif (strpos($value, '.')) { // 2001:db8::1.80
$parts = explode('.', $value);
} elseif (strpos($value, ' port ')) { // 2001:db8::1 port 80
$parts = explode(' port ', $value);
} elseif (strpos($value, 'p')) { // 2001:db8::1p80
$parts = explode('p', $value);
} elseif (strpos($value, '#')) { // 2001:db8::1#80
$parts = explode('#', $value);
} else { // 2001:db8::1:80 this one is ambiguous
$temp = explode(':', $value);
$parts = array(implode(':', array_slice($temp, 0, count($temp)-1)), end($temp));
}
} elseif (strpos($value, ':')) { // (ipv4:port)
$parts = explode(':', $value);
} elseif (strpos($value, '|')) {
} elseif (strpos($value, '|')) { // (ipv4|port)
$parts = explode('|', $value);
} else {
return $value;

2
app/Model/Server.php
View File

@ -1262,7 +1262,7 @@ class Server extends AppModel
'require_password_confirmation' => array(
'level' => 1,
'description' => __('Enabling this setting will require users to submit their current password on any edits to their profile (including a triggered password change). For administrators, the confirmation will be required when changing the profile of any user. Could potentially mitigate an attacker trying to change a compromised user\'s password in order to establish persistance, however, enabling this feature will be highly annoying to users.'),
'value' => false,
'value' => true,
'errorMessage' => '',
'test' => 'testBool',
'type' => 'boolean',

4
app/View/Elements/Events/View/sighting_field.ctp
View File

@ -9,8 +9,8 @@
<?php
if ($isAclSighting):
?>
<i class="icon-thumbs-up useCursorPointer" title="<?php echo __('Add sighting');?>" role="button" tabindex="0" aria-label="<?php echo __('Add sighting');?>" onmouseover="flexibleAddSighting(this, '0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($object['value']);?>', '<?php echo h($page); ?>', 'top');" onclick="addSighting('0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');">&nbsp;</i>
<i class="icon-thumbs-down useCursorPointer" title="<?php echo __('Mark as false-positive');?>" role="button" tabindex="0" aria-label="<?php echo __('Mark as false-positive');?>" onmouseover="flexibleAddSighting(this, '1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($object['value']);?>', '<?php echo h($page); ?>', 'bottom');" onclick="addSighting('1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');">&nbsp;</i>
<i class="icon-thumbs-up useCursorPointer" title="<?php echo __('Add sighting');?>" role="button" tabindex="0" aria-label="<?php echo __('Add sighting');?>" onmouseover="flexibleAddSighting(this, '0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>', 'top');" onclick="addSighting('0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');">&nbsp;</i>
<i class="icon-thumbs-down useCursorPointer" title="<?php echo __('Mark as false-positive');?>" role="button" tabindex="0" aria-label="<?php echo __('Mark as false-positive');?>" onmouseover="flexibleAddSighting(this, '1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>', 'bottom');" onclick="addSighting('1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');">&nbsp;</i>
<i class="icon-wrench useCursorPointer sightings_advanced_add" title="<?php echo __('Advanced sightings');?>" role="button" tabindex="0" aria-label="<?php echo __('Advanced sightings');?>" data-object-id="<?php echo h($object['id']); ?>" data-object-context="attribute">&nbsp;</i>
<?php
endif;

11
app/View/Elements/Events/View/value_field.ctp
View File

@ -71,7 +71,16 @@ switch ($object['type']) {
default:
if (strpos($object['type'], '|') !== false) {
$separator = in_array($object['type'], array('ip-dst|port', 'ip-src|port')) ? ':' : '<br />';
if (in_array($object['type'], array('ip-dst|port', 'ip-src|port'))) {
if (substr_count($object['value'], ':') >= 2) {
$object['value'] = '[' . $object['value']; // prepend `[` for a nicer display
$separator = ']:';
} else {
$separator = ':';
}
} else {
$separator = '<br />';
}
$valuePieces = explode('|', $object['value']);
foreach ($valuePieces as $k => $v) {
$valuePieces[$k] = h($v);

2
app/View/Elements/flashErrorMessage.ctp
View File

@ -1,7 +1,7 @@
<div class="confirmation">
<legend><?php echo __('Errors');?></legend>
<div style="padding-left:5px;padding-right:5px;padding-bottom:5px;">
<div id="flashErrorMessageContent" style="overflow-y: auto;"><?php echo $message; ?></div>
<div id="flashErrorMessageContent" style="overflow-y: auto;"><?php echo h($message); ?></div>
<span role="button" tabindex="0" aria-label="<?php echo __('Cancel');?>" title="<?php echo __('Cancel');?>" class="btn btn-inverse" id="PromptNoButton" onClick="cancelPopoverForm();"><?php echo __('Close');?></span>
</div>
</div>

2
app/View/Users/admin_view.ctp
View File

@ -34,7 +34,7 @@ $buttonModifyStatus = $mayModify ? 'button_on':'button_off';
h($user['User']['authkey']),
sprintf(
' (%s)',
$this->Html->link(__('reset'), array('controller' => 'users', 'action' => 'resetauthkey', $user['User']['id']))
$this->Form->postLink(__('reset'), array('action' => 'resetauthkey', $user['User']['id']))
)
);
$table_data[] = array(

4
app/View/Users/statistics_orgs.ctp
View File

@ -12,7 +12,9 @@
'external' => array('selected' => false, 'text' => __('Known remote organisations')),
'all' => array('selected' => false, 'text' => __('All organisations'))
);
$types[$scope]['selected'] = true;
if (isset($types[$scope])) {
$types[$scope]['selected'] = true;
}
?>
<h4><?php echo __('Organisation list');?></h4>
<p><?php echo __('Quick overview over the organisations residing on or known by this instance.');?></p>

3
app/View/Users/view.ctp
View File

@ -17,7 +17,8 @@
(Configure::read('MISP.disableUserSelfManagement') && !$isAdmin) ? '' :
sprintf(
' (%s)',
$this->Html->link(__('reset'), array('controller' => 'users', 'action' => 'resetauthkey', $user['User']['id']))
$this->Form->postLink(__('reset'), array('action' => 'resetauthkey', $user['User']['id']))
)
);
}

2
app/webroot/js/misp.js
View File

@ -56,7 +56,7 @@ function fetchAddSightingForm(type, attribute_id, page, onvalue) {
});
}
function flexibleAddSighting(clicked, type, attribute_id, event_id, value, page, placement) {
function flexibleAddSighting(clicked, type, attribute_id, event_id, page, placement) {
var $clicked = $(clicked);
var hoverbroken = false;
$clicked.off('mouseleave.temp').on('mouseleave.temp', function() {

13
app/webroot/js/restClient.js
View File

@ -129,6 +129,7 @@ function removeRestClientHistoryItem(id) {
}
});
$('#TemplateSelect').val($('#ServerUrl').val()).trigger("chosen:updated").trigger("change");
$('#ServerUrl').keyup(function() {
$('#TemplateSelect').val($(this).val()).trigger("chosen:updated").trigger("change");
});
@ -142,11 +143,12 @@ function removeRestClientHistoryItem(id) {
$('#ServerUrl').val(allValidApis[selected_template].url);
$('#ServerUrl').data('urlWithoutParam', selected_template);
var body_value = $('#ServerBody').val();
if (body_value === '' || server_url_changed) {
var refreshBody = (body_value === '' || server_url_changed)
if (refreshBody) {
$('#ServerBody').val(allValidApis[selected_template].body);
}
setApiInfoBox(false);
updateQueryTool(selected_template, true);
updateQueryTool(selected_template, refreshBody);
}
});
@ -294,8 +296,10 @@ function updateQueryTool(url, isEmpty) {
});
} else {
var r = filtersJson[k];
r.value = values;
rules.rules[0].rules.push(r);
if (r !== undefined) { // rule is not defined in the description
r.value = values;
rules.rules[0].rules.push(r);
}
}
});
@ -313,7 +317,6 @@ function updateQueryTool(url, isEmpty) {
+ '</div>');
div.append(additionalInput);
}
querybuilderTool.setRules(rules, false);
}