Nagios Support Forum

Posted: **Fri Dec 08, 2023 11:27 am**

It seems maybe you're trying to access it by clicking the URL? It seems that this won't work. Instead you should be selecting your tool under My Tools or using the blue view arrow under Actions. It is weird to me that clicking the URL doesn't bring you to the website but instead to a local directory in the webroot, but that's how it currently seems to work. If subdirectories don't work, then it may be a bug though.

Capture(1).jpg

Capture.PNG

Posted: **Fri Dec 08, 2023 11:53 am**

bbahn wrote: ↑Fri Dec 08, 2023 11:27 am It is weird to me that clicking the URL doesn't bring you to the website but instead to a local directory in the webroot, but that's how it currently seems to work. If subdirectories don't work, then it may be a bug though.

This is where I'm at with it too...
I'll add that to my list of things to look at back-end wise and see if I can find what gives.

Posted: **Fri Dec 08, 2023 12:30 pm**

I think I found the issue...
In the respective [My/Common]tools.php
There is a double URL encode thing going on...

Code: Select all

echo '<td><a href="' . urlencode(encode_form_val($r["url"])) . '" target="_blank">' . encode_form_val($r["url"]) . '</a></td>';

Should be

Code: Select all

echo '<td><a href="' . encode_form_val($r["url"]) . '" target="_blank">' . encode_form_val($r["url"]) . '</a></td>';

Posted: **Fri Dec 08, 2023 12:46 pm**

So yeah, removing the double encode works in the common tools and mytools flavors.

Code: Select all

<?php
        $mr = get_commontools();
        foreach ($mr as $id => $r) {
            echo "<tr>";
            echo "<td>" . encode_form_val($r["name"]) . "</td>";
            echo '<td><a href="' . encode_form_val($r["url"]) . '" target="_blank">' . encode_form_val($r["url"]) . '</a></td>';
            echo "<td>";
            if (is_admin()) {
                echo "<a href='?edit=1&id=" . $id . "&nsp=" . get_nagios_session_protector_id() . "'><img src='" . theme_image("pencil.png") . "' alt='" . _('Edit') . "' title='" . _('Edit') . "' class='tt-bind'></a>&nbsp;";
                echo "<a href='?delete=1&id=" . $id . "&nsp=" . get_nagios_session_protector_id() . "'><img src='" . theme_image("cross.png") . "' alt='" . _('Delete') . "' title='" . _('Delete') . "' class='tt-bind'></a>&nbsp;";
            }
            echo "<a href='?go=1&id=" . $id . "&nsp=" . get_nagios_session_protector_id() . "'><img src='" . theme_image("b_next.png") . "' alt='" . _('View') . "' title='" . _('View') . "' class='tt-bind'></a>";
            echo "</td>";
            echo "</tr>";
        }
        if (count($mr) == 0) {
            if (is_admin())
                echo "<tr><td colspan='3'>" . _("You haven't defined any tools yet.") . " (<a href='?edit=1'>" . _("Add one now") . "</a>)</td></tr>";
            else
                echo "<tr><td colspan='3'>" . _("No common tools have been defined yet.") . "</td></tr>";
        }
        ?>

Posted: **Fri Dec 08, 2023 3:00 pm**

That will work, but I think the proper way to fix this would be to split off the initial http:// https:// using a regex like this ^https?:\/\/ and then merging that back with the rest of the string that did go through the urlencode. Otherwise you're not sufficiently protecting against malicious URLs.

Nagios Support Forum

XI2024 | MyTools

Re: XI2024 | MyTools

Re: XI2024 | MyTools

Re: XI2024 | MyTools

Re: XI2024 | MyTools

Re: XI2024 | MyTools