Re: [Nagios-devel] cmd.cgi Input Validation Problem
Posted: Wed Jan 15, 2003 6:54 pm
Thanks - should be in CVS shortly.
On 15 Jan 2003 at 13:57, Steve Bonds wrote:
> Nagios folks:
>
> I've been looking at Nagios again recently and you all deserve a lot of
> credit for it. It's really come a long way since its NetSaint days!
>
> In the process of testing out Nagios, I noticed that when I would enter
> downtimes via the CGI interface that the times would not be what I
> entered. It would always be some seemingly random time after what I
> entered. (I.e. 17:00 would become 17:36 or some such.)
>
> I quickly discovered that the problem was me-- I neglected to enter 17:00
> as "17:00:00" with the seconds included and the CGI was tacking on some
> random number of seconds since the value was uninitialized. The best fix
> for this would be to have the CGI validate all its inputs, but the next
> best fix is to simply initialize all the time values appropriately.
>
> Below is a patch to do just that, should you want to. I regret that since
> the SourceForge CVS servers are unavailable that I can't check CVS to see
> if this was already fixed (or if not, at least provide a patch versus CVS
> rather than the 1.0 release code.)
>
> Since the CVS servers aren't working, here's the patch versus 1.0:
>
> -----
> diff -u cmd.c.orig cmd.c
> --- cmd.c.orig Sun Nov 10 17:13:09 2002
> +++ cmd.c Wed Jan 15 13:40:29 2003
> @@ -2251,6 +2251,20 @@
> int string_to_time(char *buffer, time_t *t){
> struct tm lt;
>
> + /* Initialize some variables just in case they don't get parsed
> + by the sscanf() call. A better solution is to also check the
> + CGI input for validity, but this should suffice to prevent
> + strange problems if the input is not valid.
> + Jan 15 2003 Steve Bonds */
> + lt.tm_mon = 0;
> + lt.tm_mday = 1;
> + lt.tm_year = 1900;
> + lt.tm_hour = 0;
> + lt.tm_min = 0;
> + lt.tm_sec = 0;
> + lt.tm_wday = 0;
> + lt.tm_yday = 0;
> +
> sscanf(buffer,"%02d/%02d/%04d
> %02d:%02d:%02d",<.tm_mon,<.tm_mday,<
> ..tm_year,<.tm_hour,<.tm_min,<.tm_sec);
>
> lt.tm_mon--;
> -----
>
> -- Steve Bonds
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: A Thawte Code Signing Certificate
> is essential in establishing user confidence by providing assurance of
> authenticity and code integrity. Download our Free Code Signing guide:
> http://ads.sourceforge.net/cgi-bin/redi ... thaw0028en
> _______________________________________________
> Nagios-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/lis ... gios-devel
>
Ethan Galstad,
Nagios Developer
---
Email: [email protected]
Website: http://www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
On 15 Jan 2003 at 13:57, Steve Bonds wrote:
> Nagios folks:
>
> I've been looking at Nagios again recently and you all deserve a lot of
> credit for it. It's really come a long way since its NetSaint days!
>
> In the process of testing out Nagios, I noticed that when I would enter
> downtimes via the CGI interface that the times would not be what I
> entered. It would always be some seemingly random time after what I
> entered. (I.e. 17:00 would become 17:36 or some such.)
>
> I quickly discovered that the problem was me-- I neglected to enter 17:00
> as "17:00:00" with the seconds included and the CGI was tacking on some
> random number of seconds since the value was uninitialized. The best fix
> for this would be to have the CGI validate all its inputs, but the next
> best fix is to simply initialize all the time values appropriately.
>
> Below is a patch to do just that, should you want to. I regret that since
> the SourceForge CVS servers are unavailable that I can't check CVS to see
> if this was already fixed (or if not, at least provide a patch versus CVS
> rather than the 1.0 release code.)
>
> Since the CVS servers aren't working, here's the patch versus 1.0:
>
> -----
> diff -u cmd.c.orig cmd.c
> --- cmd.c.orig Sun Nov 10 17:13:09 2002
> +++ cmd.c Wed Jan 15 13:40:29 2003
> @@ -2251,6 +2251,20 @@
> int string_to_time(char *buffer, time_t *t){
> struct tm lt;
>
> + /* Initialize some variables just in case they don't get parsed
> + by the sscanf() call. A better solution is to also check the
> + CGI input for validity, but this should suffice to prevent
> + strange problems if the input is not valid.
> + Jan 15 2003 Steve Bonds */
> + lt.tm_mon = 0;
> + lt.tm_mday = 1;
> + lt.tm_year = 1900;
> + lt.tm_hour = 0;
> + lt.tm_min = 0;
> + lt.tm_sec = 0;
> + lt.tm_wday = 0;
> + lt.tm_yday = 0;
> +
> sscanf(buffer,"%02d/%02d/%04d
> %02d:%02d:%02d",<.tm_mon,<.tm_mday,<
> ..tm_year,<.tm_hour,<.tm_min,<.tm_sec);
>
> lt.tm_mon--;
> -----
>
> -- Steve Bonds
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: A Thawte Code Signing Certificate
> is essential in establishing user confidence by providing assurance of
> authenticity and code integrity. Download our Free Code Signing guide:
> http://ads.sourceforge.net/cgi-bin/redi ... thaw0028en
> _______________________________________________
> Nagios-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/lis ... gios-devel
>
Ethan Galstad,
Nagios Developer
---
Email: [email protected]
Website: http://www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]