Re: [Nagios-devel] escaping/sanitizing plugin output in nagios
Posted: Tue Apr 03, 2007 2:44 pm
--=-x6O4q6Lfo1DfMM1iWDND
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
tjena andreas,
On Tue, 2007-04-03 at 17:03 +0200, Andreas Ericsson wrote:
> > This same bug exists in config.c when displaying arguments TO the plugi=
ns.
> >=20
>=20
> That's not a bug, and in no way a security issue. If someone has access t=
o
> modify the nagios config files you should stop worrying about XSS attacks
> for the same reason you shouldn't try to plug a leak in the kitchen sink
> when your house is on fire.
granted i haven't actually checked this, but what if you have a
check_command defined as "/path/to/something < /path/to/input" ? not a
security issue in this regard, but i'd say a bug if it mucks with the
displaying of the content.
in any event i'd say it's a matter that should still be worked out with
the plugin output presentation. =20
sean
--=-x6O4q6Lfo1DfMM1iWDND
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQBGEti9ynjLPm522B0RAs4AAJ0c1xsnJssEW3MND77cDlSpmO3AaACdHdpQ
Xhbd71MPJ2puoJT+gowai/I=
=Lzoo
-----END PGP SIGNATURE-----
--=-x6O4q6Lfo1DfMM1iWDND--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]