Re: [Nagios-devel] escaping/sanitizing plugin output in nagios

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

Re: [Nagios-devel] escaping/sanitizing plugin output in nagios

Post by Guest »


--=-x6O4q6Lfo1DfMM1iWDND
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

tjena andreas,

On Tue, 2007-04-03 at 17:03 +0200, Andreas Ericsson wrote:

> > This same bug exists in config.c when displaying arguments TO the plugi=
ns.
> >=20
>=20
> That's not a bug, and in no way a security issue. If someone has access t=
o
> modify the nagios config files you should stop worrying about XSS attacks
> for the same reason you shouldn't try to plug a leak in the kitchen sink
> when your house is on fire.

granted i haven't actually checked this, but what if you have a
check_command defined as "/path/to/something < /path/to/input" ? not a
security issue in this regard, but i'd say a bug if it mucks with the
displaying of the content.

in any event i'd say it's a matter that should still be worked out with
the plugin output presentation. =20


sean

--=-x6O4q6Lfo1DfMM1iWDND
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBGEti9ynjLPm522B0RAs4AAJ0c1xsnJssEW3MND77cDlSpmO3AaACdHdpQ
Xhbd71MPJ2puoJT+gowai/I=
=Lzoo
-----END PGP SIGNATURE-----

--=-x6O4q6Lfo1DfMM1iWDND--






This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”