Re: [Nagios-devel] Variables encoded twice
Posted: Tue Aug 05, 2008 11:30 am
--========GMX18201217964631229515
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
> > So try
> > printf(" > value='%s'>\n",html_encode(host_name,FALSE));
>
> But this works only if you enable escape_html_tags in cgi.cfg.
>
> New idea: I added a function escape_string() to clean all user supplied
> strings that get printed into html form values. Works for the above test
> cases independent of escape_html_tags. A updated patch is attached.
>
Hi Armin,
I fully agree. The html_encode function depends on the escape_html_tags setting. I've applied your patch and it works for the hosts "SDSL:Customer" and "John's server" in avail.cgi.
But it's not complete yet. Try "John's server" in the histogram.cgi and trends.cgi, and you'll get
John's server
Maybe you'll have a look at this; I will also, but I don't have the time today.
During compile, I've got four warning messages:
avail.c:944: warning: pointer/integer type mismatch in conditional expression
history.c:207: warning: pointer/integer type mismatch in conditional expression
trends.c:861: warning: pointer/integer type mismatch in conditional expression
histogram.c:749: warning: pointer/integer type mismatch in conditional expression
They don't appear if I declare your escape_string function in the cgiutils.h files (I don't know the difference between cgiutils.h and cgiutils.h.in, so I patched both files).
Regards
Bernd
--
GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion!
http://games.entertainment.gmx.net/de/e ... le/6169196
--========GMX18201217964631229515
Content-Type: application/octet-stream; name="cgiutils.h.diff"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cgiutils.h.diff"
LS0tIGluY2x1ZGUvY2dpdXRpbHMuaC5vcmlnCTIwMDgtMDgtMDUgMjE6MTE6MDguMDAwMDAwMDAw
ICswMjAwCisrKyBpbmNsdWRlL2NnaXV0aWxzLmgJMjAwOC0wOC0wNSAyMTowOTozNS4wMDAwMDAw
MDAgKzAyMDAKQEAgLTQ4NSw2ICs0ODUsNyBAQAogCiBjaGFyICogdXJsX2VuY29kZShjaGFyICop
OwkJICAgICAgICAJCS8qIGVuY29kZXMgYSBzdHJpbmcgaW4gcHJvcGVyIFVSTCBmb3JtYXQgKi8K
IGNoYXIgKiBodG1sX2VuY29kZShjaGFyICosaW50KTsJCQkJCS8qIGVuY29kZXMgYSBzdHJpbmcg
aW4gSFRNTCBmb3JtYXQgKGZvciB3aGF0IHRoZSB1c2VyIHNlZXMpICovCitjaGFyICogZXNjYXBl
X3N0cmluZyhjaGFyICopOwkJCQkJLyogZXNjYXBlIHN0cmluZyBmb3IgaHRtbCBmb3JtIHVzYWdl
ICovCiAKIHZvaWQgZ2V0X3RpbWVfYnJlYWtkb3duKHVuc2lnbmVkIGxvbmcsaW50ICosaW50ICos
aW50ICosaW50ICopOwkvKiBnaXZlbiB0b3RhbCBzZWNvbmRzLCBnZXQgZGF5cywgaG91cnMsIG1p
bnV0ZXMsIHNlY29uZHMgKi8KIAo=
--========GMX18201217964631229515
Content-Type: application/octet-stream; name="cgiutils.h.in.diff"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cgiutils.h.in.diff"
LS0tIGluY2x1ZGUvY2dpdXRpbHMuaC5pbi5vcmlnCTIwMDgtMDgtMDUgMjE6MDI6MzkuMDAwMDAw
MDAwICswMjAwCisrKyBpbmNsdWRlL2NnaXV0aWxzLmguaW4JMjAwOC0wOC0wNSAyMDozNjo1Ny4w
MDAwMDAwMDAgKzAyMDAKQEAgLTQ4NCw2ICs0ODQsNyBAQAogCiBjaGFyICogdXJsX2VuY29kZShj
aGFyICopOwkJICAgICAgICAJCS8qIGVuY29kZXMgYSBzdHJpbmcgaW4gcHJvcGVyIFVSTCBmb3Jt
YXQgKi8KIGNoYXIgKiBodG1sX2VuY29kZShjaGFyICosaW50KTsJCQkJCS8qIGVuY29kZXMgYSBz
dHJpbmcgaW4gSFRNTCBmb3JtYXQgKGZvciB3aGF0IHRoZSB1c2VyIHNlZXMpICovCitjaGFyICog
ZXNjYXBlX3N0cmluZyhjaGFyICopOwkJCQkJLyogZXNjYXBlIHN0cmluZyBmb3IgaHRtbCBmb3Jt
IHVzYWdlICovCiAKIHZvaWQgZ2V0X3RpbWVfYnJlYWtkb3duKHVuc2lnbmVkIGxvbmcsaW50ICos
aW50ICosaW50ICosaW50ICopOwkvKiBnaXZlbiB0b3RhbCBzZWNvbmRzLCBnZXQgZGF5cywgaG91
cnMsIG1pbnV0ZXMsIHNlY29uZHMgKi8KIAo=
--========GMX18201217964631229515--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
> > So try
> > printf(" > value='%s'>\n",html_encode(host_name,FALSE));
>
> But this works only if you enable escape_html_tags in cgi.cfg.
>
> New idea: I added a function escape_string() to clean all user supplied
> strings that get printed into html form values. Works for the above test
> cases independent of escape_html_tags. A updated patch is attached.
>
Hi Armin,
I fully agree. The html_encode function depends on the escape_html_tags setting. I've applied your patch and it works for the hosts "SDSL:Customer" and "John's server" in avail.cgi.
But it's not complete yet. Try "John's server" in the histogram.cgi and trends.cgi, and you'll get
John's server
Maybe you'll have a look at this; I will also, but I don't have the time today.
During compile, I've got four warning messages:
avail.c:944: warning: pointer/integer type mismatch in conditional expression
history.c:207: warning: pointer/integer type mismatch in conditional expression
trends.c:861: warning: pointer/integer type mismatch in conditional expression
histogram.c:749: warning: pointer/integer type mismatch in conditional expression
They don't appear if I declare your escape_string function in the cgiutils.h files (I don't know the difference between cgiutils.h and cgiutils.h.in, so I patched both files).
Regards
Bernd
--
GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion!
http://games.entertainment.gmx.net/de/e ... le/6169196
--========GMX18201217964631229515
Content-Type: application/octet-stream; name="cgiutils.h.diff"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cgiutils.h.diff"
LS0tIGluY2x1ZGUvY2dpdXRpbHMuaC5vcmlnCTIwMDgtMDgtMDUgMjE6MTE6MDguMDAwMDAwMDAw
ICswMjAwCisrKyBpbmNsdWRlL2NnaXV0aWxzLmgJMjAwOC0wOC0wNSAyMTowOTozNS4wMDAwMDAw
MDAgKzAyMDAKQEAgLTQ4NSw2ICs0ODUsNyBAQAogCiBjaGFyICogdXJsX2VuY29kZShjaGFyICop
OwkJICAgICAgICAJCS8qIGVuY29kZXMgYSBzdHJpbmcgaW4gcHJvcGVyIFVSTCBmb3JtYXQgKi8K
IGNoYXIgKiBodG1sX2VuY29kZShjaGFyICosaW50KTsJCQkJCS8qIGVuY29kZXMgYSBzdHJpbmcg
aW4gSFRNTCBmb3JtYXQgKGZvciB3aGF0IHRoZSB1c2VyIHNlZXMpICovCitjaGFyICogZXNjYXBl
X3N0cmluZyhjaGFyICopOwkJCQkJLyogZXNjYXBlIHN0cmluZyBmb3IgaHRtbCBmb3JtIHVzYWdl
ICovCiAKIHZvaWQgZ2V0X3RpbWVfYnJlYWtkb3duKHVuc2lnbmVkIGxvbmcsaW50ICosaW50ICos
aW50ICosaW50ICopOwkvKiBnaXZlbiB0b3RhbCBzZWNvbmRzLCBnZXQgZGF5cywgaG91cnMsIG1p
bnV0ZXMsIHNlY29uZHMgKi8KIAo=
--========GMX18201217964631229515
Content-Type: application/octet-stream; name="cgiutils.h.in.diff"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cgiutils.h.in.diff"
LS0tIGluY2x1ZGUvY2dpdXRpbHMuaC5pbi5vcmlnCTIwMDgtMDgtMDUgMjE6MDI6MzkuMDAwMDAw
MDAwICswMjAwCisrKyBpbmNsdWRlL2NnaXV0aWxzLmguaW4JMjAwOC0wOC0wNSAyMDozNjo1Ny4w
MDAwMDAwMDAgKzAyMDAKQEAgLTQ4NCw2ICs0ODQsNyBAQAogCiBjaGFyICogdXJsX2VuY29kZShj
aGFyICopOwkJICAgICAgICAJCS8qIGVuY29kZXMgYSBzdHJpbmcgaW4gcHJvcGVyIFVSTCBmb3Jt
YXQgKi8KIGNoYXIgKiBodG1sX2VuY29kZShjaGFyICosaW50KTsJCQkJCS8qIGVuY29kZXMgYSBz
dHJpbmcgaW4gSFRNTCBmb3JtYXQgKGZvciB3aGF0IHRoZSB1c2VyIHNlZXMpICovCitjaGFyICog
ZXNjYXBlX3N0cmluZyhjaGFyICopOwkJCQkJLyogZXNjYXBlIHN0cmluZyBmb3IgaHRtbCBmb3Jt
IHVzYWdlICovCiAKIHZvaWQgZ2V0X3RpbWVfYnJlYWtkb3duKHVuc2lnbmVkIGxvbmcsaW50ICos
aW50ICosaW50ICosaW50ICopOwkvKiBnaXZlbiB0b3RhbCBzZWNvbmRzLCBnZXQgZGF5cywgaG91
cnMsIG1pbnV0ZXMsIHNlY29uZHMgKi8KIAo=
--========GMX18201217964631229515--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]