11 files changed, 151 insertions, 34 deletions

diff --git a/NEWS b/NEWS
index 0848705c..4061c033 100644
--- a/NEWS
+++ b/NEWS
@@ -1,17 +1,56 @@
 This file documents the major additions and syntax changes between releases.
 
-2.3 [...]
+2.4 [...]
+        ENHANCEMENTS
+
+        FIXES
+
+2.3 10th December 2020
         ENHANCEMENTS
         check_dns: allow 'expected address' (-a) to be specified in CIDR notation
           (IPv4 only).
         check_dns: allow for IPv6 RDNS
+        check_dns: Accept CIDR
         check_dns: allow unsorted addresses
         check_dns: allow forcing complete match of all addresses
         check_apt: add --only-critical switch
         check_apt: add -l/--list option to print packages
+        check_file_age: add range checking
+        check_file_age: enable to test for maximum file size
+        check_apt: adding packages-warning option
+        check_load: Adding top consuming processes option
+        check_http: Adding Proxy-Authorization and extra headers
+        check_snmp: make calcualtion of timeout value in help output more clear
+        check_uptime: new plugin for checking uptime to see how long the system is running
+        check_curl: check_http replacement based on libcurl
+        check_http: Allow user to specify HTTP method after proxy CONNECT
+        check_http: Add new flag --show-body/-B to print body
+        check_cluster: Added data argument validation
+        check_icmp: Add IPv6 support
+        check_icmp: Automatically detect IP protocol
+        check_icmp: emit error if multiple protocol version
+        check_disk: add support to display inodes usage in perfdata
+        check_hpjd: Added -D option to disable warning on 'out of paper'
+        check_http: support the --show-body/-B flag when --expect is used
+        check_mysql: allow mariadbclient to be used
+        check_tcp: add --sni
+        check_dns: detect unreachable dns service in nslookup output
 
         FIXES
         Fix regression where check_dhcp was rereading response in a tight loop
+        check_dns: fix error detection on sles nslookup
+        check_disk_smb: fix timeout issue
+        check_swap: repaired "-n" behaviour
+        check_icmp: Correctly set address_family on lookup
+        check_icmp: Do not overwrite -4,-6 on lookup
+        check_smtp: initializes n before it is used
+        check_dns: fix typo in parameter description
+        check_by_ssh: fix child process leak on timeouts
+        check_mysql: Allow sockets to be specified to -H
+        check_procs: improve command examples for 'at least' processes
+        check_swap: repaired "-n" behaviour
+        check_disk: include -P switch in help
+        check_mailq: restore accidentially removed options
 
 2.2 29th November 2016
         ENHANCEMENTS
diff --git a/NP-VERSION-GEN b/NP-VERSION-GEN
index cf78d69c..c353b1d1 100755
--- a/NP-VERSION-GEN
+++ b/NP-VERSION-GEN
@@ -6,7 +6,7 @@
 SRC_ROOT=`dirname $0`
 
 NPVF=NP-VERSION-FILE
-DEF_VER=2.2.git
+DEF_VER=2.3git
 
 LF='
 '
diff --git a/README b/README
index beb77690..71b4d37c 100644
--- a/README
+++ b/README
@@ -10,7 +10,7 @@ Monitoring Plugins
 * For information on detailed changes that have been made or plugins
   that have been added, read the `ChangeLog` file.
 
-* Some plugins require that you have additional programs and/or
+* Some plugins require that you have additional programs or
   libraries installed on your system before they can be used.  Plugins that
   are dependent on other programs/libraries that are missing are usually not
   compiled.  Read the `REQUIREMENTS` file for more information.
@@ -19,7 +19,7 @@ Monitoring Plugins
   the basic guidelines for development will provide detailed help when
   invoked with the `-h` or `--help` options.
 
-You can check for the latest plugins at:
+You can check the latest plugins at:
 
 * <https://www.monitoring-plugins.org/>
 
diff --git a/THANKS.in b/THANKS.in
index 9bb43828..7d1d1ff0 100644
--- a/THANKS.in
+++ b/THANKS.in
@@ -357,3 +357,27 @@ Thomas Kurschel
 Yannick Charton
 Nicolai Søborg
 Rolf Eike Beer
+Bernd Arnold
+Andreas Baumann
+Tobias Wolf
+Lars Michelsen
+Vincent Danjean
+Kostyantyn Hushchyn
+Christian Tacke
+Alexander A. Klimov
+Vadim Zhukov
+Bernard Spil
+Christian Schmidt
+Guido Falsi
+Harald Koch
+Iustin Pop
+Jacob Hansen
+Jean-François Rameau
+Karol Babioch
+Lucas Bussey
+Marc Sánchez
+Markus Frosch
+Michael Kraus
+Patrick Rauscher
+Prathamesh Bhanuse
+Valentin Vidic
diff --git a/configure.ac b/configure.ac
index 4aebc2ad..7c17dcd1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,6 +1,6 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ(2.59)
-AC_INIT(monitoring-plugins,2.2)
+AC_INIT(monitoring-plugins,2.3git)
 AC_CONFIG_SRCDIR(NPTest.pm)
 AC_CONFIG_FILES([gl/Makefile])
 AC_CONFIG_AUX_DIR(build-aux)
diff --git a/doc/RELEASING.md b/doc/RELEASING.md
index 1f9db078..bcd2c5ac 100644
--- a/doc/RELEASING.md
+++ b/doc/RELEASING.md
@@ -11,14 +11,14 @@ Before you start
 
 - Check Travis CI status.
 - Update local Git repository to the current `master` tip.  For a
-  maintenance release (e.g., version 2.2.2), update to the current
-  `maint-2.2` tip, instead.
+  maintenance release (e.g., version 2.3.2), update to the current
+  `maint-2.3` tip, instead.
 
 Prepare and commit files
 ------------------------
 
 - Update `configure.ac` and `NP-VERSION-GEN` with new version.
-- Update `NEWS` from `git log --reverse v2.2.1..` output, and specify
+- Update `NEWS` from `git log --reverse v2.3.1..` output, and specify
   the release version/date.
 - Update `AUTHORS` if there are new team members.
 - Update `THANKS.in` using `tools/update-thanks`.
@@ -29,27 +29,27 @@ Prepare and commit files
 Create annotated tag
 --------------------
 
-    git tag -a -m 'Monitoring Plugins 2.3' v2.3
+    git tag -a -m 'Monitoring Plugins 2.4' v2.4
 
 Push the code and tag to GitHub
 -------------------------------
 
     git push monitoring-plugins master
-    git push monitoring-plugins v2.3
+    git push monitoring-plugins v2.4
 
 Create new maintenance branch
 -----------------------------
 
 _Only necessary when creating a feature release._
 
-    git checkout -b maint-2.3 v2.3
-    git push -u monitoring-plugins maint-2.3
+    git checkout -b maint-2.4 v2.4
+    git push -u monitoring-plugins maint-2.4
 
 Checkout new version
 --------------------
 
     rm -rf /tmp/plugins
-    git archive --prefix=tmp/plugins/ v2.3 | (cd /; tar -xf -)
+    git archive --prefix=tmp/plugins/ v2.4 | (cd /; tar -xf -)
 
 Build the tarball
 -----------------
@@ -62,26 +62,26 @@ Build the tarball
 Upload tarball to web site
 --------------------------
 
-    scp monitoring-plugins-2.3.tar.gz \
+    scp monitoring-plugins-2.4.tar.gz \
         plugins@orwell.monitoring-plugins.org:web/download/
 
 Generate SHA1 checksum file on web site
 ---------------------------------------
 
     ssh plugins@orwell.monitoring-plugins.org \
-        '(cd web/download; $HOME/bin/create-checksum monitoring-plugins-2.3.tar.gz)'
+        '(cd web/download; $HOME/bin/create-checksum monitoring-plugins-2.4.tar.gz)'
 
 Announce new release
 --------------------
 
 - In the site.git repository:
 
-    - Create `web/input/news/release-2-3.md`.
+    - Create `web/input/news/release-2-4.md`.
     - Update the `plugins_release` version in `web/macros.py`.
     - Commit and push the result:
 
-            git add web/input/news/release-2-3.md
-            git commit web/input/news/release-2-3.md web/macros.py
+            git add web/input/news/release-2-4.md
+            git commit web/input/news/release-2-4.md web/macros.py
             git push origin master
 
 - Post an announcement on (at least) the following mailing lists:
@@ -93,6 +93,6 @@ Announce new release
 
 If you want to mention the number of contributors in the announcement:
 
-    git shortlog -s v2.2.1..v2.3 | wc -l
+    git shortlog -s v2.3.1..v2.4 | wc -l
 
 <!-- vim:set filetype=markdown textwidth=72: -->
diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c
index e45fdf60..31eb4c65 100644
--- a/plugins-root/check_icmp.c
+++ b/plugins-root/check_icmp.c
@@ -1134,7 +1134,7 @@ finish(int sig)
         while(host) {
                 if(!host->icmp_recv) {
                         /* rta 0 is ofcourse not entirely correct, but will still show up
-                         * conspicuosly as missing entries in perfparse and cacti */
+                         * conspicuously as missing entries in perfparse and cacti */
                         pl = 100;
                         rta = 0;
                         status = STATE_CRITICAL;
diff --git a/plugins-scripts/check_mailq.pl b/plugins-scripts/check_mailq.pl
index 32f498d3..aac1310e 100755
--- a/plugins-scripts/check_mailq.pl
+++ b/plugins-scripts/check_mailq.pl
@@ -568,7 +568,9 @@ sub process_arguments(){
                  "w=i" => \$opt_w, "warning=i"  => \$opt_w,   # warning if above this number
                  "c=i" => \$opt_c, "critical=i" => \$opt_c,       # critical if above this number
                  "t=i" => \$opt_t, "timeout=i"  => \$opt_t,
-                 "s"   => \$opt_s, "sudo"       => \$opt_s
+                 "s"   => \$opt_s, "sudo"       => \$opt_s,
+                 "W=i" => \$opt_W,                            # warning if above this number
+                 "C=i" => \$opt_C,                            # critical if above this number
                  );
 
         if ($opt_V) {
@@ -662,8 +664,8 @@ sub print_help () {
         print "   Feedback/patches to support non-sendmail mailqueue welcome\n\n";
         print "-w (--warning)   = Min. number of messages in queue to generate warning\n";
         print "-c (--critical)  = Min. number of messages in queue to generate critical alert ( w < c )\n";
-        print "-W (--Warning)   = Min. number of messages for same domain in queue to generate warning\n";
-        print "-C (--Critical)  = Min. number of messages for same domain in queue to generate critical alert ( W < C )\n";
+        print "-W               = Min. number of messages for same domain in queue to generate warning\n";
+        print "-C               = Min. number of messages for same domain in queue to generate critical alert ( W < C )\n";
         print "-t (--timeout)   = Plugin timeout in seconds (default = $utils::TIMEOUT)\n";
         print "-M (--mailserver) = [ sendmail | qmail | postfix | exim | nullmailer ] (default = autodetect)\n";
         print "-s (--sudo)      = Use sudo to call the mailq command\n";
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index 2d69b310..8f274c26 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -296,6 +296,28 @@ CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
 #endif /* USE_OPENSSL */
 #endif /* HAVE_SSL */
 
+/* returns a string "HTTP/1.x" or "HTTP/2" */
+static char *string_statuscode (int major, int minor)
+{
+  static char buf[10];
+
+  switch (major) {
+    case 1:
+      snprintf (buf, sizeof (buf), "HTTP/%d.%d", major, minor);
+      break;
+    case 2:
+    case 3:
+      snprintf (buf, sizeof (buf), "HTTP/%d", major);
+      break;
+    default:
+      /* assuming here HTTP/N with N>=4 */
+      snprintf (buf, sizeof (buf), "HTTP/%d", major);
+      break;
+  }  
+  
+  return buf;
+}
+
 /* Checks if the server 'reply' is one of the expected 'statuscodes' */
 static int
 expected_statuscode (const char *reply, const char *statuscodes)
@@ -746,7 +768,8 @@ GOT_FIRST_CERT:
   if (curlhelp_parse_statusline (header_buf.buf, &status_line) < 0) {
     snprintf (msg, DEFAULT_BUFFER_SIZE, "Unparsable status line in %.3g seconds response time|%s\n",
       total_time, perfstring);
-    die (STATE_CRITICAL, "HTTP CRITICAL HTTP/1.x %ld unknown - %s", code, msg);
+    /* we cannot know the major/minor version here for sure as we cannot parse the first line */
+    die (STATE_CRITICAL, "HTTP CRITICAL HTTP/x.x %ld unknown - %s", code, msg);
   }
 
   /* get result code from cURL */
@@ -823,8 +846,8 @@ GOT_FIRST_CERT:
 
   /* check status codes, set exit status accordingly */
   if( status_line.http_code != code ) {
-    die (STATE_CRITICAL, _("HTTP CRITICAL HTTP/%d.%d %d %s - different HTTP codes (cUrl has %ld)\n"),
-      status_line.http_major, status_line.http_minor,
+    die (STATE_CRITICAL, _("HTTP CRITICAL %s %d %s - different HTTP codes (cUrl has %ld)\n"),
+      string_statuscode (status_line.http_major, status_line.http_minor),
       status_line.http_code, status_line.msg, code);
   }
 
@@ -895,8 +918,8 @@ GOT_FIRST_CERT:
     msg[strlen(msg)-3] = '\0';
 
   /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */
-  die (result, "HTTP %s: HTTP/%d.%d %d %s%s%s - %d bytes in %.3f second response time %s|%s\n",
-    state_text(result), status_line.http_major, status_line.http_minor,
+  die (result, "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n",
+    state_text(result), string_statuscode (status_line.http_major, status_line.http_minor),
     status_line.http_code, status_line.msg,
     strlen(msg) > 0 ? " - " : "",
     msg, page_len, total_time,
@@ -1041,7 +1064,7 @@ redir (curlhelp_write_curlbuf* header_buf)
     const UriPathSegmentA* p = uri.pathHead;
     for (; p; p = p->next) {
       strncat (new_url, "/", DEFAULT_BUFFER_SIZE);
-      strncat (new_url, uri_string (p->text, buf, DEFAULT_BUFFER_SIZE), DEFAULT_BUFFER_SIZE);
+      strncat (new_url, uri_string (p->text, buf, DEFAULT_BUFFER_SIZE), DEFAULT_BUFFER_SIZE-1);
     }
   }
 
@@ -1354,7 +1377,7 @@ process_arguments (int argc, char **argv)
           ssl_version = CURL_SSLVERSION_DEFAULT;
 #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0) */
         else
-          usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)"));
+          usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2, 1.3 (with optional '+' suffix)"));
       }
 #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0)
       if (got_plus) {
@@ -1659,7 +1682,7 @@ print_help (void)
   printf (" %s\n", "-S, --ssl=VERSION[+]");
   printf ("    %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
   printf ("    %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,"));
-  printf ("    %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted."));
+  printf ("    %s\n", _("1.2 = TLSv1.2, 1.3 = TLSv1.3). With a '+' suffix, newer versions are also accepted."));
   printf ("    %s\n", _("Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl"));
   printf (" %s\n", "--sni");
   printf ("    %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
diff --git a/plugins/check_dns.c b/plugins/check_dns.c
index b90f50e6..0f2e6541 100644
--- a/plugins/check_dns.c
+++ b/plugins/check_dns.c
@@ -473,9 +473,23 @@ process_arguments (int argc, char **argv)
     case 'a': /* expected address */
       if (strlen (optarg) >= ADDRESS_LENGTH)
         die (STATE_UNKNOWN, _("Input buffer overflow\n"));
-      expected_address = (char **)realloc(expected_address, (expected_address_cnt+1) * sizeof(char**));
-      expected_address[expected_address_cnt] = strdup(optarg);
-      expected_address_cnt++;
+      if (strchr(optarg, ',') != NULL) {
+        char *comma = strchr(optarg, ',');
+        while (comma != NULL) {
+          expected_address = (char **)realloc(expected_address, (expected_address_cnt+1) * sizeof(char**));
+          expected_address[expected_address_cnt] = strndup(optarg, comma - optarg);
+          expected_address_cnt++;
+          optarg = comma + 1;
+          comma = strchr(optarg, ',');
+        }
+        expected_address = (char **)realloc(expected_address, (expected_address_cnt+1) * sizeof(char**));
+        expected_address[expected_address_cnt] = strdup(optarg);
+        expected_address_cnt++;
+      } else {
+        expected_address = (char **)realloc(expected_address, (expected_address_cnt+1) * sizeof(char**));
+        expected_address[expected_address_cnt] = strdup(optarg);
+        expected_address_cnt++;
+      }
       break;
     case 'A': /* expect authority */
       expect_authority = TRUE;
diff --git a/plugins/check_http.c b/plugins/check_http.c
index de59a068..e2298b17 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -931,6 +931,21 @@ check_http (void)
 
     if (verbose) printf ("Entering CONNECT tunnel mode with proxy %s:%d to dst %s:%d\n", server_address, server_port, host_name, HTTPS_PORT);
     asprintf (&buf, "%s %s:%d HTTP/1.1\r\n%s\r\n", http_method, host_name, HTTPS_PORT, user_agent);
+    if (strlen(proxy_auth)) {
+      base64_encode_alloc (proxy_auth, strlen (proxy_auth), &auth);
+      xasprintf (&buf, "%sProxy-Authorization: Basic %s\r\n", buf, auth);
+    }
+    /* optionally send any other header tag */
+    if (http_opt_headers_count) {
+      for (i = 0; i < http_opt_headers_count ; i++) {
+        if (force_host_header != http_opt_headers[i]) {
+          xasprintf (&buf, "%s%s\r\n", buf, http_opt_headers[i]);
+        }
+      }
+      /* This cannot be free'd here because a redirection will then try to access this and segfault */
+      /* Covered in a testcase in tests/check_http.t */
+      /* free(http_opt_headers); */
+    }
     asprintf (&buf, "%sProxy-Connection: keep-alive\r\n", buf);
     asprintf (&buf, "%sHost: %s\r\n", buf, host_name);
     /* we finished our request, send empty line with CRLF */