* use dedicated permissions namespace for scriptframe in filterutility to allow prope...

  * fixes issue https://github.com/Icinga/icinga2/issues/6785 where permission checks get wrong result because permissions checks are done within a shared namespaces without using only unique keys
  * mitigates issue https://github.com/Icinga/icinga2/issues/6874 where segmentation faults occur because of concurrent access to non threadsafe parts of namespace (a fix for thread safety of namespaces which would be an alternative approach to get rid of these segfaults is out of scope of this fix as 6785 needs to be fixed anyway and this is the straight-forwards) way to fix that
* do the same for eventqueue (not certain whether events can be processed in parallel but I expect it is the case)

diff --git a/lib/remote/eventqueue.cpp b/lib/remote/eventqueue.cpp
index 017d3dc57956ab2c43a6345724f838f2b18281f3..1c273db5193353b722ae93d19a7877b6d6aa5c6c 100644 (file)
--- a/lib/remote/eventqueue.cpp
+++ b/lib/remote/eventqueue.cpp
@@ -23,7 +23,8 @@ bool EventQueue::CanProcessEvent(const String& type) const
 
 void EventQueue::ProcessEvent(const Dictionary::Ptr& event)
 {
-       ScriptFrame frame(true);
+       Namespace::Ptr frameNS = new Namespace();
+       ScriptFrame frame(true, frameNS);
        frame.Sandboxed = true;
 
        try {

diff --git a/lib/remote/filterutility.cpp b/lib/remote/filterutility.cpp
index c74af5be3cfc9530039697900cc2f9d390982727..05decee50944a0c936fa8573d5e80e3dfb08a5b2 100644 (file)
--- a/lib/remote/filterutility.cpp
+++ b/lib/remote/filterutility.cpp
@@ -188,7 +188,8 @@ std::vector<Value> FilterUtility::GetFilterTargets(const QueryDescription& qd, c
        Expression *permissionFilter;
        CheckPermission(user, qd.Permission, &permissionFilter);
 
-       ScriptFrame permissionFrame(true);
+       Namespace::Ptr permissionFrameNS = new Namespace();
+       ScriptFrame permissionFrame(true, permissionFrameNS);
 
        for (const String& type : qd.Types) {
                String attr = type;