From: Gunnar Beutner <gunnar@beutner.name>
Date: Wed, 11 Nov 2015 07:29:48 +0000 (+0100)
Subject: Don't allow users to set internal attributes via PUT
X-Git-Tag: v2.4.0~15
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=356c4cc17079ae7dffaee68f4c065ea01ae2281c;p=icinga2

Don't allow users to set internal attributes via PUT

fixes #10601
---

diff --git a/lib/remote/configobjectutility.cpp b/lib/remote/configobjectutility.cpp
index 91de62c5f..d6270baad 100644
--- a/lib/remote/configobjectutility.cpp
+++ b/lib/remote/configobjectutility.cpp
@@ -66,9 +66,23 @@ String ConfigObjectUtility::CreateObjectConfig(const Type::Ptr& type, const Stri
 
 	Dictionary::Ptr allAttrs = new Dictionary();
 
-	if (attrs)
+	if (attrs) {
 		attrs->CopyTo(allAttrs);
 
+		ObjectLock olock(attrs);
+		BOOST_FOREACH(const Dictionary::Pair& kv, attrs) {
+			int fid = type->GetFieldId(kv.first);
+
+			if (fid < 0)
+				BOOST_THROW_EXCEPTION(ScriptError("Invalid attribute specified: " + kv.first));
+
+			Field field = type->GetFieldInfo(fid);
+
+			if (field.Attributes & FANoUserModify)
+				BOOST_THROW_EXCEPTION(ScriptError("Attribute is marked for internal use only and may not be set: " + kv.first));
+		}
+	}
+
 	if (nameParts)
 		nameParts->CopyTo(allAttrs);