[Nagios-devel] nagios2 plugin output sanitization

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

[Nagios-devel] nagios2 plugin output sanitization

Post by Guest »


--XuV1QlJbYrcVoo+x
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,

Trying to fix Debian bug #416814 (plugin output does not get sanitized
before sending to the browser) I found that a lot of work has already
been done since 2.6. Comparing to 2.10 there several changes like

- printf("[%s] %s\n",date_time,temp_buffer);
+ printf("[%s] %s\n",date_time,strip_plugin_html(temp_buffer));

BUT: The strip_plugin_html function in cgi/cgiutils.c does nothing but
returning the input. Is there a reason against using the html_encode
function in all places? It seems to do the right job which is escaping
potentially harmful html sequences.

By the way, the "anything else gets represented by its hex value" code
converts 8bit characters in an unexpected manner: For example, '\xff'
gets translated into "&#-1;", at least on amd64. This is not unsafe,
just invalid html. I'd suggest to change

- sprintf(temp_expansion,"&#%d;",(unsigned int)input[x]);
+ sprintf(temp_expansion,"&#%d;",(unsigned char)input[x]);

Christoph


--XuV1QlJbYrcVoo+x
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHMECzBq/69tVAGy0RAmn2AJ99kDcITaLrmRszzCOw8r88sujKigCePWJX
PZvzth/fakkwPvngR9bCLGo=
=mt6S
-----END PGP SIGNATURE-----

--XuV1QlJbYrcVoo+x--





This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”