XI2024 | MyTools

[bbahn]

It seems maybe you're trying to access it by clicking the URL? It seems that this won't work. Instead you should be selecting your tool under My Tools or using the blue view arrow under Actions. It is weird to me that clicking the URL doesn't bring you to the website but instead to a local directory in the webroot, but that's how it currently seems to work. If subdirectories don't work, then it may be a bug though.

Capture(1).jpg

Capture.PNG

[snapier3]

It is weird to me that clicking the URL doesn't bring you to the website but instead to a local directory in the webroot, but that's how it currently seems to work. If subdirectories don't work, then it may be a bug though.

This is where I'm at with it too...
I'll add that to my list of things to look at back-end wise and see if I can find what gives.

[snapier3]

I think I found the issue...
In the respective [My/Common]tools.php
There is a double URL encode thing going on...

Code: Select all

echo '<td><a href="' . urlencode(encode_form_val($r["url"])) . '" target="_blank">' . encode_form_val($r["url"]) . '</a></td>';

Should be

Code: Select all

echo '<td><a href="' . encode_form_val($r["url"]) . '" target="_blank">' . encode_form_val($r["url"]) . '</a></td>';

[snapier3]

So yeah, removing the double encode works in the common tools and mytools flavors.

Code: Select all

<?php
        $mr = get_commontools();
        foreach ($mr as $id => $r) {
            echo "<tr>";
            echo "<td>" . encode_form_val($r["name"]) . "</td>";
            echo '<td><a href="' . encode_form_val($r["url"]) . '" target="_blank">' . encode_form_val($r["url"]) . '</a></td>';
            echo "<td>";
            if (is_admin()) {
                echo "<a href='?edit=1&id=" . $id . "&nsp=" . get_nagios_session_protector_id() . "'><img src='" . theme_image("pencil.png") . "' alt='" . _('Edit') . "' title='" . _('Edit') . "' class='tt-bind'></a>&nbsp;";
                echo "<a href='?delete=1&id=" . $id . "&nsp=" . get_nagios_session_protector_id() . "'><img src='" . theme_image("cross.png") . "' alt='" . _('Delete') . "' title='" . _('Delete') . "' class='tt-bind'></a>&nbsp;";
            }
            echo "<a href='?go=1&id=" . $id . "&nsp=" . get_nagios_session_protector_id() . "'><img src='" . theme_image("b_next.png") . "' alt='" . _('View') . "' title='" . _('View') . "' class='tt-bind'></a>";
            echo "</td>";
            echo "</tr>";
        }
        if (count($mr) == 0) {
            if (is_admin())
                echo "<tr><td colspan='3'>" . _("You haven't defined any tools yet.") . " (<a href='?edit=1'>" . _("Add one now") . "</a>)</td></tr>";
            else
                echo "<tr><td colspan='3'>" . _("No common tools have been defined yet.") . "</td></tr>";
        }
        ?>

[bbahn]

That will work, but I think the proper way to fix this would be to split off the initial http:// https:// using a regex like this ^https?:\/\/ and then merging that back with the rest of the string that did go through the urlencode. Otherwise you're not sufficiently protecting against malicious URLs.