Re: [Nagios-devel] Nagios Tracker #15 - cannot access if logged in

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

Re: [Nagios-devel] Nagios Tracker #15 - cannot access if logged in

Post by Guest »


--Apple-Mail-290-870195202
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit


On 14 Jul 2009, at 23:10, Christian Schneemann wrote:

> On Tuesday 14 July 2009 23:36:45 Ton Voon wrote:
>> On 11 Jul 2009, at 21:07, Hendrik Baecker wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
> [...]
>>>
>>> Your comment related to the IDN Domains is attached to the post, if
>>> you
>>> have more ideas on it, please send a message off-list to Ethan,
>>> Andreas
>>> Ericsson and Ton Voon.
>>
>> Is there a definitive list of all characters used in IDN Domains?
> "Yes", every character that is possible in a language can be used in
> an
> internationalized domain name of that country, that makes a simple
> whitelist
> impossible I think.

I would rather do a whitelist than a blacklist, especially given the
nature of the security bug.

However, I guess a blacklist of "bad shell characters" could be
possible.

Another option is possibly that we scan the nagios objects.dat file
and only allow host addresses that have been specified there, which is
another form of whitelisting, but allows IDNs.

> The iana has special character tables for every possible domain-name.
> http://www.iana.org/domains/idn-tables/
>
> I'm playing around with libidn [1], they have functions to check for
> an
> allowed IDN domain. Maybe that could help here.
>
> [1] http://www.gnu.org/software/libidn/

This doesn't appear to be easy to embed into a third party app, but
I'd be happy to be proven wrong.

Ton


--Apple-Mail-290-870195202
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

On 14 Jul 2009, =
at 23:10, Christian Schneemann wrote:On =
Tuesday 14 July 2009 23:36:45 Ton Voon wrote:On 11 Jul 2009, at 21:07, Hendrik Baecker =
wrote:-----BEGIN PGP SIGNED =
MESSAGE-----[...]Your comment related to the IDN =
Domains is attached to the post, =
ifyouhave more ideas on it, please =
send a message off-list to =
Ethan,AndreasEricsson and Ton =
Voon.Is there a =
definitive list of all characters used in IDN =
Domains?"Yes", every character that is possible in a =
language can be used in an internationalized domain name of that =
country, that makes a simple whitelist impossible I =
think.I would rather do a whitelist =
than a blacklist, especially given the nature of the security =
bug.However, I guess a blacklist of "bad shell =
characters" could be possible.Another option =
is possibly that we scan the nagios objects.dat file and only allow host =
addresses that have been specified there, which is another form of =
whitelisting, but allows IDNs.The iana has special character tables for every =
possible domain-name. http://www.iana.org/domai=
ns/idn-tables/I'm playing around with libidn [1], they have =
functions to check for an allowed IDN domain. Maybe that could help =
here.[1] http://www.gnu.org/s

...[email truncated]...


This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”