[ZBX-12825] error: Wrong value for url field. Created: 2017 Oct 05  Updated: 2019 Nov 19  Resolved: 2017 Dec 14

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 3.4.2
Fix Version/s: 2.2.21rc2, 3.0.14rc2, 3.2.11rc2, 3.4.5rc2, 4.0.0alpha1, 4.0 (plan)

Type: Problem report Priority: Major
Reporter: sles Assignee: Miks Kronkalns
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Centos 7


Attachments: XML File zbx_export_maps(1).xml     PNG File Снимок экрана от 2017-10-05 12-24-27.png    
Issue Links:
Causes
Duplicate
duplicates ZBX-3783 Proper API validation Reopened
duplicates ZBX-12768 WASA Findings from NSOC Team Closed
is duplicated by ZBX-17012 Allow relative URL on Screens with ad... Closed
Team: Team A
Sprint: Sprint 19, Sprint 21, Sprint 22, Sprint 23
Story Points: 4

 Description   

After upgrade from 3.4.1 to 3.4.2 I see error:

error: Wrong value for url field.

While trying to update one of maps.

Thank you!



 Comments   
Comment by Ingus Vilnis [ 2017 Oct 05 ]

Hi,

Where exactly in the maps do you see the problem?
How to reproduce?
Does it happen to all the maps?
Show some screenshots.
Anything that would help us to understand what is the problem and how can we help you

Comment by sles [ 2017 Oct 05 ]

No, I see this only on one map.
I don't know how to reproduce this.
I'll attach screenshot after I click Update button and export of map.

Comment by Natalja Romancaka [ 2017 Oct 05 ]

Please check url field in map properties or in map element, it should contain http:// https://
Look at what's new for 3.4.2 - A new ZBX_URI_VALID_SCHEMES constant has been added which defines the allowed URI schemes.

Comment by sles [ 2017 Oct 05 ]

I'll check.
But! Once again you are breaking compatibiltiy! We use this map for several years!

And error message is not informative - there is no info which element contains "wrong" url.

Comment by sles [ 2017 Oct 05 ]

I found element with url without http, so now map can be updated.
But, again, why there is no info about element in error message, at least?

Comment by Alexander Vladishev [ 2017 Oct 05 ]

Will be fixed with ZBX-3783.

Comment by Petr Vyhlidal [ 2017 Oct 20 ]

In 3.4.3, this issue is still present. It will be great, if the url check for maps was not strict - if it only displayed message with information which object is affected.
We use maps for integration not only with web servers , we use it for integration with Samba shares and onenote too: links like \\smbshare\directory\file.txt , onenote:///c:\OneNote\folder worked fine before, but now they leads to this issue - we are no able to update maps created before 3.4.2 anymore.

Comment by sles [ 2017 Oct 20 ]

Petr, Natalja provided link here, according to it other url types can be added in configuration or check can be disabled, afair...

Comment by Petr Vyhlidal [ 2017 Oct 20 ]

sales,
thank you for hint. I can see that Natalja posted link to release notes - what's new in 4.3.2 - where acceptable uri prefixes could be defined with ZBX_URI_VALID_SCHEMES constant .
OK, but I really can not see, where URI check for maps could be disabled. Please, could you kick me little bit? Thank you.

Comment by sles [ 2017 Oct 20 ]

Well , you not asking me, but...
Sorry, I can't.
This is why I wrote- afair , my memory may fail me...

Comment by Oleg Egorov (Inactive) [ 2017 Oct 20 ]

Hello, sles!
According your request about URL validation.
In 3.4.2 was added URL validation in the frontend:
https://www.zabbix.com/documentation/3.4/manual/web_interface/definitions?s[]=zbx&s[]=uri&s[]=valid&s[]=schemes
Added ZBX_URI_VALID_SCHEMES
In defines.inc.php, you can add allowed protocols: ssh, svn....

This changes we create according security audit, to make Zabbix safer.

Sorry, but CHtmlUrlValidator will not allow use telnet in this case, they have a specific format.

Comment by sles [ 2017 Oct 20 ]

Oleg, thank you!

well, if it is security feature, then I'm absolutely wrong that this can be disabled - just mixed it up..

Comment by Veselin Kutsarov [ 2017 Oct 24 ]

I have macroses in my trigger urls like
{$GRAYLOG_URL}{$GRAYLOG_QRY_EPKSALM_1}{$GRAYLOG_QRY_EPKSALM_2}{$GRAYLOG_QRY_EPKSALM_3}%20AND%20epks_priority_group%3A(H)%20AND%20source%3A

{HOST.HOST}

If I export that template and try to import - the url validation will prevent it. The only solution I found is to change ZBX_URI_VALID_SCHEMES by adding a comma after the last scheme in order to achieve an empty element and when parsing for : and not discovering scheme validation to pass.
My question is: Do you mind to evaluate the expression before validating it or not?

Comment by Oleg Egorov (Inactive) [ 2017 Oct 25 ]

Zabbix is Open source project and you can made any changes. Official version is secure and support quality standards.
URL validation help to protect Zabbix frontend users from other Zabbix frontend users inside one Zabbix installation and from XSS and CSRF attacks.
We don't recommend do any changes, but you can.

Comment by sles [ 2017 Oct 25 ]

>URL validation help to protect Zabbix frontend users from other Zabbix frontend users

oops! really? is there any setup where non-trusted user can edit maps?
if this is reason for this change- it is at least very strange.

Comment by Veselin Kutsarov [ 2017 Oct 25 ]

Ok, Oleg, but my question was in future release will you evaluate the expression before validating it or not?

Comment by Vjaceslavs Bogdanovs [ 2017 Oct 26 ]

sles wrote:

oops! really? is there any setup where non-trusted user can edit maps? if this is reason for this change- it is at least very strange.

Well, there are multiple user types in Zabbix.

Monitoring -> Maps page is available for users without any permissions (no permissions at all or read-only permission to some single host)
With no permissions set, user can still create his own map and this is the part when not checking URL can make data of other users vulnerable.

So there are reasons to make those changes.

Comment by sles [ 2017 Oct 26 ]

>So there are reasons to make those changes.

No, if this is case you have to provide way for administrator to disable such anonymous maps creation and let administrator decide are such maps meet local security policy or not.
IMHO, of course, but I'm local zabbix administrator
btw, in my case guest access is disabled.

Comment by Miks Kronkalns [ 2017 Nov 24 ]

RESOLVED in

Comment by Miks Kronkalns [ 2017 Nov 27 ]

(2)
No translation string changes in 2.2.

Translation strings added for 3.0:

  • Provided URL "%1$s" is invalid.

sasha CLOSED

Comment by Miks Kronkalns [ 2017 Dec 05 ]

(14) [D] by changes, URLs with invalid port numbers, like ftp://user@host:port are considered as invalid. In previous versions this would be valid URL.

martins-v RESOLVED in the upgrade notes.

sasha CLOSED

Comment by Miks Kronkalns [ 2017 Dec 14 ]

Fixed:

  • 2.2.21rc2 r75894
  • 3.0.14rc2 r75895
  • 3.2.11rc2 r75896
  • 3.4.5rc2 r75908
  • 4.0.0alpha1 (trunk) r75909
Comment by Ivo Kurzemnieks [ 2017 Dec 29 ]

I don't think it's the right way to write in ChangeLog.

  • Multiple things done in one issue should be written on a separate line, and not separated by a semicolon.
  • Two similar yet different sentences: "made URL validation as optional" and "implemented URL validation as optional". Which one is it?
  • "improved URL validation" doesn't mean a thing to user. Improved how?
Comment by Pavel Zharkov [ 2018 Feb 27 ]

I have this problem too. I have designed network maps for quick access to remote desktops through vnc protocol, so there are vnc:// and vvnc:// link templates in the system for remote control and remote view respectively. What can I do? Is there some option to bypass a zabbix server downgrade.

Comment by Vjaceslavs Bogdanovs [ 2018 Feb 27 ]

zzz, please refer to https://www.zabbix.com/documentation/3.4/manual/installation/upgrade_notes_345#configurable_uri_validation it describes the configuration procedure.

Comment by Pavel Zharkov [ 2018 Feb 28 ]

Vjaceslavs Bogdanovs, thanks a lot!

Generated at Fri Mar 29 08:37:45 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.