mirror of https://github.com/MISP/MISP
Merge branch '2.4' of github.com:MISP/MISP into 2.4
commit
8c7bef419d
|
@ -136,6 +136,7 @@ class AppController extends Controller
|
|||
$this->_stop();
|
||||
}
|
||||
}
|
||||
$this->response->header('X-XSS-Protection', '1; mode=block');
|
||||
|
||||
if (!empty($this->params['named']['sql'])) {
|
||||
$this->sql_dump = intval($this->params['named']['sql']);
|
||||
|
|
|
@ -209,11 +209,16 @@ class UsersController extends AppController
|
|||
}
|
||||
}
|
||||
if ($abortPost) {
|
||||
return $this->RestResponse->saveFailResponse('Users', 'edit', $id, $message, $this->response->type());
|
||||
} else {
|
||||
$this->Flash->error($message);
|
||||
$this->request->data['User']['password'] = '';
|
||||
$this->request->data['User']['confirm_password'] = '';
|
||||
if ($this->_isRest()) {
|
||||
return $this->RestResponse->saveFailResponse('Users', 'edit', $id, $message, $this->response->type());
|
||||
} else {
|
||||
$this->Flash->error($message);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$this->User->data = $currentUser;
|
||||
$this->User->set('password', '');
|
||||
$this->request->data = $this->User->data;
|
||||
}
|
||||
|
@ -261,6 +266,11 @@ class UsersController extends AppController
|
|||
$this->Flash->info($message);
|
||||
}
|
||||
}
|
||||
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['password']);
|
||||
if ($hashed) {
|
||||
$message = __('Submitted new password cannot be the same as the current one');
|
||||
$abortPost = true;
|
||||
}
|
||||
if (!$abortPost) {
|
||||
// What fields should be saved (allowed to be saved)
|
||||
$user['User']['change_pw'] = 0;
|
||||
|
@ -288,6 +298,8 @@ class UsersController extends AppController
|
|||
}
|
||||
$this->Flash->error($message);
|
||||
}
|
||||
} else {
|
||||
$this->Flash->error($message);
|
||||
}
|
||||
}
|
||||
if ($this->_isRest()) {
|
||||
|
@ -1097,6 +1109,7 @@ class UsersController extends AppController
|
|||
),
|
||||
'recursive' => -1
|
||||
));
|
||||
$lastUserLogin = $user['User']['last_login'];
|
||||
unset($user['User']['password']);
|
||||
$user['User']['action'] = 'login';
|
||||
$user['User']['last_login'] = $this->Auth->user('current_login');
|
||||
|
@ -1106,6 +1119,10 @@ class UsersController extends AppController
|
|||
$this->User->saveField('password', $passwordToSave);
|
||||
}
|
||||
$this->User->Behaviors->enable('SysLogLogable.SysLogLogable');
|
||||
if ($lastUserLogin) {
|
||||
$readableDatetime = (new DateTime())->setTimestamp($lastUserLogin)->format(DateTimeInterface::RFC822);
|
||||
$this->Flash->info(sprintf('Welcome! Last login was on %s', $readableDatetime));
|
||||
}
|
||||
// no state changes are ever done via GET requests, so it is safe to return to the original page:
|
||||
$this->redirect($this->Auth->redirectUrl());
|
||||
// $this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
|
@ -1235,6 +1252,9 @@ class UsersController extends AppController
|
|||
if (!$this->_isAdmin() && Configure::read('MISP.disableUserSelfManagement')) {
|
||||
throw new MethodNotAllowedException('User self-management has been disabled on this instance.');
|
||||
}
|
||||
if (!$this->request->is('post') && !$this->request->is('put')) {
|
||||
throw new MethodNotAllowedException(__('This functionality is only accessible via POST requests.'));
|
||||
}
|
||||
if ($id == 'me') {
|
||||
$id = $this->Auth->user('id');
|
||||
}
|
||||
|
|
|
@ -1555,9 +1555,28 @@ class Attribute extends AppModel
|
|||
break;
|
||||
case 'ip-dst|port':
|
||||
case 'ip-src|port':
|
||||
if (strpos($value, ':')) {
|
||||
if (substr_count($value, ':') >= 2) { // (ipv6|port) - tokenize ip and port
|
||||
if (strpos($value, '|')) { // 2001:db8::1|80
|
||||
$parts = explode('|', $value);
|
||||
} elseif (strpos($value, '[') === 0 && strpos($value, ']') !== false) { // [2001:db8::1]:80
|
||||
$ipv6 = substr($value, 1, strpos($value, ']')-1);
|
||||
$port = explode(':', substr($value, strpos($value, ']')))[1];
|
||||
$parts = array($ipv6, $port);
|
||||
} elseif (strpos($value, '.')) { // 2001:db8::1.80
|
||||
$parts = explode('.', $value);
|
||||
} elseif (strpos($value, ' port ')) { // 2001:db8::1 port 80
|
||||
$parts = explode(' port ', $value);
|
||||
} elseif (strpos($value, 'p')) { // 2001:db8::1p80
|
||||
$parts = explode('p', $value);
|
||||
} elseif (strpos($value, '#')) { // 2001:db8::1#80
|
||||
$parts = explode('#', $value);
|
||||
} else { // 2001:db8::1:80 this one is ambiguous
|
||||
$temp = explode(':', $value);
|
||||
$parts = array(implode(':', array_slice($temp, 0, count($temp)-1)), end($temp));
|
||||
}
|
||||
} elseif (strpos($value, ':')) { // (ipv4:port)
|
||||
$parts = explode(':', $value);
|
||||
} elseif (strpos($value, '|')) {
|
||||
} elseif (strpos($value, '|')) { // (ipv4|port)
|
||||
$parts = explode('|', $value);
|
||||
} else {
|
||||
return $value;
|
||||
|
|
|
@ -1262,7 +1262,7 @@ class Server extends AppModel
|
|||
'require_password_confirmation' => array(
|
||||
'level' => 1,
|
||||
'description' => __('Enabling this setting will require users to submit their current password on any edits to their profile (including a triggered password change). For administrators, the confirmation will be required when changing the profile of any user. Could potentially mitigate an attacker trying to change a compromised user\'s password in order to establish persistance, however, enabling this feature will be highly annoying to users.'),
|
||||
'value' => false,
|
||||
'value' => true,
|
||||
'errorMessage' => '',
|
||||
'test' => 'testBool',
|
||||
'type' => 'boolean',
|
||||
|
|
|
@ -9,8 +9,8 @@
|
|||
<?php
|
||||
if ($isAclSighting):
|
||||
?>
|
||||
<i class="icon-thumbs-up useCursorPointer" title="<?php echo __('Add sighting');?>" role="button" tabindex="0" aria-label="<?php echo __('Add sighting');?>" onmouseover="flexibleAddSighting(this, '0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($object['value']);?>', '<?php echo h($page); ?>', 'top');" onclick="addSighting('0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');"> </i>
|
||||
<i class="icon-thumbs-down useCursorPointer" title="<?php echo __('Mark as false-positive');?>" role="button" tabindex="0" aria-label="<?php echo __('Mark as false-positive');?>" onmouseover="flexibleAddSighting(this, '1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($object['value']);?>', '<?php echo h($page); ?>', 'bottom');" onclick="addSighting('1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');"> </i>
|
||||
<i class="icon-thumbs-up useCursorPointer" title="<?php echo __('Add sighting');?>" role="button" tabindex="0" aria-label="<?php echo __('Add sighting');?>" onmouseover="flexibleAddSighting(this, '0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>', 'top');" onclick="addSighting('0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');"> </i>
|
||||
<i class="icon-thumbs-down useCursorPointer" title="<?php echo __('Mark as false-positive');?>" role="button" tabindex="0" aria-label="<?php echo __('Mark as false-positive');?>" onmouseover="flexibleAddSighting(this, '1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>', 'bottom');" onclick="addSighting('1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');"> </i>
|
||||
<i class="icon-wrench useCursorPointer sightings_advanced_add" title="<?php echo __('Advanced sightings');?>" role="button" tabindex="0" aria-label="<?php echo __('Advanced sightings');?>" data-object-id="<?php echo h($object['id']); ?>" data-object-context="attribute"> </i>
|
||||
<?php
|
||||
endif;
|
||||
|
|
|
@ -71,7 +71,16 @@ switch ($object['type']) {
|
|||
|
||||
default:
|
||||
if (strpos($object['type'], '|') !== false) {
|
||||
$separator = in_array($object['type'], array('ip-dst|port', 'ip-src|port')) ? ':' : '<br />';
|
||||
if (in_array($object['type'], array('ip-dst|port', 'ip-src|port'))) {
|
||||
if (substr_count($object['value'], ':') >= 2) {
|
||||
$object['value'] = '[' . $object['value']; // prepend `[` for a nicer display
|
||||
$separator = ']:';
|
||||
} else {
|
||||
$separator = ':';
|
||||
}
|
||||
} else {
|
||||
$separator = '<br />';
|
||||
}
|
||||
$valuePieces = explode('|', $object['value']);
|
||||
foreach ($valuePieces as $k => $v) {
|
||||
$valuePieces[$k] = h($v);
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<div class="confirmation">
|
||||
<legend><?php echo __('Errors');?></legend>
|
||||
<div style="padding-left:5px;padding-right:5px;padding-bottom:5px;">
|
||||
<div id="flashErrorMessageContent" style="overflow-y: auto;"><?php echo $message; ?></div>
|
||||
<div id="flashErrorMessageContent" style="overflow-y: auto;"><?php echo h($message); ?></div>
|
||||
<span role="button" tabindex="0" aria-label="<?php echo __('Cancel');?>" title="<?php echo __('Cancel');?>" class="btn btn-inverse" id="PromptNoButton" onClick="cancelPopoverForm();"><?php echo __('Close');?></span>
|
||||
</div>
|
||||
</div>
|
||||
|
|
|
@ -34,7 +34,7 @@ $buttonModifyStatus = $mayModify ? 'button_on':'button_off';
|
|||
h($user['User']['authkey']),
|
||||
sprintf(
|
||||
' (%s)',
|
||||
$this->Html->link(__('reset'), array('controller' => 'users', 'action' => 'resetauthkey', $user['User']['id']))
|
||||
$this->Form->postLink(__('reset'), array('action' => 'resetauthkey', $user['User']['id']))
|
||||
)
|
||||
);
|
||||
$table_data[] = array(
|
||||
|
|
|
@ -12,7 +12,9 @@
|
|||
'external' => array('selected' => false, 'text' => __('Known remote organisations')),
|
||||
'all' => array('selected' => false, 'text' => __('All organisations'))
|
||||
);
|
||||
$types[$scope]['selected'] = true;
|
||||
if (isset($types[$scope])) {
|
||||
$types[$scope]['selected'] = true;
|
||||
}
|
||||
?>
|
||||
<h4><?php echo __('Organisation list');?></h4>
|
||||
<p><?php echo __('Quick overview over the organisations residing on or known by this instance.');?></p>
|
||||
|
|
|
@ -17,7 +17,8 @@
|
|||
(Configure::read('MISP.disableUserSelfManagement') && !$isAdmin) ? '' :
|
||||
sprintf(
|
||||
' (%s)',
|
||||
$this->Html->link(__('reset'), array('controller' => 'users', 'action' => 'resetauthkey', $user['User']['id']))
|
||||
$this->Form->postLink(__('reset'), array('action' => 'resetauthkey', $user['User']['id']))
|
||||
|
||||
)
|
||||
);
|
||||
}
|
||||
|
|
|
@ -56,7 +56,7 @@ function fetchAddSightingForm(type, attribute_id, page, onvalue) {
|
|||
});
|
||||
}
|
||||
|
||||
function flexibleAddSighting(clicked, type, attribute_id, event_id, value, page, placement) {
|
||||
function flexibleAddSighting(clicked, type, attribute_id, event_id, page, placement) {
|
||||
var $clicked = $(clicked);
|
||||
var hoverbroken = false;
|
||||
$clicked.off('mouseleave.temp').on('mouseleave.temp', function() {
|
||||
|
|
|
@ -129,6 +129,7 @@ function removeRestClientHistoryItem(id) {
|
|||
}
|
||||
});
|
||||
|
||||
$('#TemplateSelect').val($('#ServerUrl').val()).trigger("chosen:updated").trigger("change");
|
||||
$('#ServerUrl').keyup(function() {
|
||||
$('#TemplateSelect').val($(this).val()).trigger("chosen:updated").trigger("change");
|
||||
});
|
||||
|
@ -142,11 +143,12 @@ function removeRestClientHistoryItem(id) {
|
|||
$('#ServerUrl').val(allValidApis[selected_template].url);
|
||||
$('#ServerUrl').data('urlWithoutParam', selected_template);
|
||||
var body_value = $('#ServerBody').val();
|
||||
if (body_value === '' || server_url_changed) {
|
||||
var refreshBody = (body_value === '' || server_url_changed)
|
||||
if (refreshBody) {
|
||||
$('#ServerBody').val(allValidApis[selected_template].body);
|
||||
}
|
||||
setApiInfoBox(false);
|
||||
updateQueryTool(selected_template, true);
|
||||
updateQueryTool(selected_template, refreshBody);
|
||||
}
|
||||
});
|
||||
|
||||
|
@ -294,8 +296,10 @@ function updateQueryTool(url, isEmpty) {
|
|||
});
|
||||
} else {
|
||||
var r = filtersJson[k];
|
||||
r.value = values;
|
||||
rules.rules[0].rules.push(r);
|
||||
if (r !== undefined) { // rule is not defined in the description
|
||||
r.value = values;
|
||||
rules.rules[0].rules.push(r);
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
|
@ -313,7 +317,6 @@ function updateQueryTool(url, isEmpty) {
|
|||
+ '</div>');
|
||||
div.append(additionalInput);
|
||||
}
|
||||
|
||||
querybuilderTool.setRules(rules, false);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue