Re: [Nagios-devel] Variables encoded twice
Posted: Fri Aug 01, 2008 1:18 pm
> The submitted parameters are processed by sanitize_cgi_input() at the
> start of the CGI. There is no added security if we process them again at
> this point.
>
> Example: If you have a host with the name SDSL:Customer you can call
> avail.cgi for the first time with no problems. But if you change the
> timeperiod and resubmit, the hostname is converted to SDSL%3ACustomer
> and you get an error.
>
Thanks for your example. Yes, you are right, this is not as it should work. It's a bug. The wrong conversion also happens for hosts with a backslash in its name.
I agree, there is no additional security since the browser encodes special characters.
But since we are printing out data from the user (host_name) directly to the browser, we should ensure that characters with a special HTML meaning are encoded. By default, such characters ( " ') are not allowed (see illegal_object_name_chars in nagios.cfg).
Think of a user who changed illegal_object_name_chars so that the apostroph ' is an allowed character in a host's name:
define host {
use linux-server
host_name John's server
alias Test 5
address 127.0.0.1
}
The output of avail.cgi without encoding is
value is set to "John", and "s server'" is incorrect HTML and ignored by my browser. Pressing the Update button now searches for a host named John.
So try
printf("\n",html_encode(host_name,FALSE));
in avail.c (I've only tried the host part but I assume it should apply to all your patched lines) and you'll see it works correctly then for both hosts "SDSL:Customer" and "John's Server".
Can you please verify this and resubmit the patch if you agree?
Have a nice weekend!
Regards
Bernd
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> start of the CGI. There is no added security if we process them again at
> this point.
>
> Example: If you have a host with the name SDSL:Customer you can call
> avail.cgi for the first time with no problems. But if you change the
> timeperiod and resubmit, the hostname is converted to SDSL%3ACustomer
> and you get an error.
>
Thanks for your example. Yes, you are right, this is not as it should work. It's a bug. The wrong conversion also happens for hosts with a backslash in its name.
I agree, there is no additional security since the browser encodes special characters.
But since we are printing out data from the user (host_name) directly to the browser, we should ensure that characters with a special HTML meaning are encoded. By default, such characters ( " ') are not allowed (see illegal_object_name_chars in nagios.cfg).
Think of a user who changed illegal_object_name_chars so that the apostroph ' is an allowed character in a host's name:
define host {
use linux-server
host_name John's server
alias Test 5
address 127.0.0.1
}
The output of avail.cgi without encoding is
value is set to "John", and "s server'" is incorrect HTML and ignored by my browser. Pressing the Update button now searches for a host named John.
So try
printf("\n",html_encode(host_name,FALSE));
in avail.c (I've only tried the host part but I assume it should apply to all your patched lines) and you'll see it works correctly then for both hosts "SDSL:Customer" and "John's Server".
Can you please verify this and resubmit the patch if you agree?
Have a nice weekend!
Regards
Bernd
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]