|
Hi,
Where exactly in the maps do you see the problem?
How to reproduce?
Does it happen to all the maps?
Show some screenshots.
Anything that would help us to understand what is the problem and how can we help you 
|
|
No, I see this only on one map.
I don't know how to reproduce this.
I'll attach screenshot after I click Update button and export of map.
|
|
Please check url field in map properties or in map element, it should contain http:// https://
Look at what's new for 3.4.2 - A new ZBX_URI_VALID_SCHEMES constant has been added which defines the allowed URI schemes.
|
|
I'll check.
But! Once again you are breaking compatibiltiy! We use this map for several years!
And error message is not informative - there is no info which element contains "wrong" url.
|
|
I found element with url without http, so now map can be updated.
But, again, why there is no info about element in error message, at least?
|
|
Will be fixed with ZBX-3783.
|
|
In 3.4.3, this issue is still present. It will be great, if the url check for maps was not strict - if it only displayed message with information which object is affected.
We use maps for integration not only with web servers , we use it for integration with Samba shares and onenote too: links like \\smbshare\directory\file.txt , onenote:///c:\OneNote\folder worked fine before, but now they leads to this issue - we are no able to update maps created before 3.4.2 anymore.
|
|
Petr, Natalja provided link here, according to it other url types can be added in configuration or check can be disabled, afair...
|
|
sales,
thank you for hint. I can see that Natalja posted link to release notes - what's new in 4.3.2 - where acceptable uri prefixes could be defined with ZBX_URI_VALID_SCHEMES constant .
OK, but I really can not see, where URI check for maps could be disabled. Please, could you kick me little bit? Thank you.
|
|
Well , you not asking me, but... 
Sorry, I can't.
This is why I wrote- afair , my memory may fail me...
|
|
Hello, sles!
According your request about URL validation.
In 3.4.2 was added URL validation in the frontend:
https://www.zabbix.com/documentation/3.4/manual/web_interface/definitions?s[]=zbx&s[]=uri&s[]=valid&s[]=schemes
Added ZBX_URI_VALID_SCHEMES
In defines.inc.php, you can add allowed protocols: ssh, svn....
This changes we create according security audit, to make Zabbix safer.
Sorry, but CHtmlUrlValidator will not allow use telnet in this case, they have a specific format.
|
|
Oleg, thank you!
well, if it is security feature, then I'm absolutely wrong that this can be disabled - just mixed it up..
|
|
I have macroses in my trigger urls like
{$GRAYLOG_URL}{$GRAYLOG_QRY_EPKSALM_1}{$GRAYLOG_QRY_EPKSALM_2}{$GRAYLOG_QRY_EPKSALM_3}%20AND%20epks_priority_group%3A(H)%20AND%20source%3A
{HOST.HOST}
If I export that template and try to import - the url validation will prevent it. The only solution I found is to change ZBX_URI_VALID_SCHEMES by adding a comma after the last scheme in order to achieve an empty element and when parsing for : and not discovering scheme validation to pass.
My question is: Do you mind to evaluate the expression before validating it or not?
|
|
Zabbix is Open source project and you can made any changes. Official version is secure and support quality standards.
URL validation help to protect Zabbix frontend users from other Zabbix frontend users inside one Zabbix installation and from XSS and CSRF attacks.
We don't recommend do any changes, but you can.
|
|
>URL validation help to protect Zabbix frontend users from other Zabbix frontend users
oops! really? is there any setup where non-trusted user can edit maps?
if this is reason for this change- it is at least very strange.
|
|
Ok, Oleg, but my question was in future release will you evaluate the expression before validating it or not?
|
|
sles wrote:
oops! really? is there any setup where non-trusted user can edit maps? if this is reason for this change- it is at least very strange.
Well, there are multiple user types in Zabbix.
Monitoring -> Maps page is available for users without any permissions (no permissions at all or read-only permission to some single host)
With no permissions set, user can still create his own map and this is the part when not checking URL can make data of other users vulnerable.
So there are reasons to make those changes.
|
|
>So there are reasons to make those changes.
No, if this is case you have to provide way for administrator to disable such anonymous maps creation and let administrator decide are such maps meet local security policy or not.
IMHO, of course, but I'm local zabbix administrator
btw, in my case guest access is disabled.
|
|
RESOLVED in
|
|
(2)
No translation string changes in 2.2.
Translation strings added for 3.0:
- Provided URL "%1$s" is invalid.
sasha CLOSED
|
|
(14) [D] by changes, URLs with invalid port numbers, like ftp://user@host:port are considered as invalid. In previous versions this would be valid URL.
martins-v RESOLVED in the upgrade notes.
sasha CLOSED
|
|
Fixed:
- 2.2.21rc2 r75894
- 3.0.14rc2 r75895
- 3.2.11rc2 r75896
- 3.4.5rc2 r75908
- 4.0.0alpha1 (trunk) r75909
|
|
I don't think it's the right way to write in ChangeLog.
- Multiple things done in one issue should be written on a separate line, and not separated by a semicolon.
- Two similar yet different sentences: "made URL validation as optional" and "implemented URL validation as optional". Which one is it?
- "improved URL validation" doesn't mean a thing to user. Improved how?
|
|
I have this problem too. I have designed network maps for quick access to remote desktops through vnc protocol, so there are vnc:// and vvnc:// link templates in the system for remote control and remote view respectively. What can I do? Is there some option to bypass a zabbix server downgrade.
|
|
zzz, please refer to https://www.zabbix.com/documentation/3.4/manual/installation/upgrade_notes_345#configurable_uri_validation it describes the configuration procedure.
|
|
Vjaceslavs Bogdanovs, thanks a lot!
|
zbx_export_maps(1).xml
Снимок экрана от 2017-10-05 12-24-27.png
Team A