Re: [Nagios-devel] nagios2 plugin output sanitization
Posted: Tue Nov 06, 2007 9:09 am
Christoph Biedl wrote:
> Hi,
>
> Trying to fix Debian bug #416814 (plugin output does not get sanitized
> before sending to the browser) I found that a lot of work has already
> been done since 2.6. Comparing to 2.10 there several changes like
>
> - printf("[%s] %s\n",date_time,temp_buffer);
> + printf("[%s] %s\n",date_time,strip_plugin_html(temp_buffer));
>
> BUT: The strip_plugin_html function in cgi/cgiutils.c does nothing but
> returning the input. Is there a reason against using the html_encode
> function in all places? It seems to do the right job which is escaping
> potentially harmful html sequences.
The only thing that really needs to be escaped/sanitized in my opinion
is the plugin output. Everything else (host names, etc.) is specified
by the admin in the config files. The output from plugin can vary
each/every invocation, so the safety of the output it unknown at any
given time.
>
> By the way, the "anything else gets represented by its hex value" code
> converts 8bit characters in an unexpected manner: For example, '\xff'
> gets translated into "&#-1;", at least on amd64. This is not unsafe,
> just invalid html. I'd suggest to change
>
> - sprintf(temp_expansion,"&#%d;",(unsigned int)input[x]);
> + sprintf(temp_expansion,"&#%d;",(unsigned char)input[x]);
>
> Christoph
Good idea - I'll get a patch in for both 2.x and HEAD (3.x) branches in CVS.
Ethan Galstad
Nagios Developer
___
Email: [email protected]
Web: www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> Hi,
>
> Trying to fix Debian bug #416814 (plugin output does not get sanitized
> before sending to the browser) I found that a lot of work has already
> been done since 2.6. Comparing to 2.10 there several changes like
>
> - printf("[%s] %s\n",date_time,temp_buffer);
> + printf("[%s] %s\n",date_time,strip_plugin_html(temp_buffer));
>
> BUT: The strip_plugin_html function in cgi/cgiutils.c does nothing but
> returning the input. Is there a reason against using the html_encode
> function in all places? It seems to do the right job which is escaping
> potentially harmful html sequences.
The only thing that really needs to be escaped/sanitized in my opinion
is the plugin output. Everything else (host names, etc.) is specified
by the admin in the config files. The output from plugin can vary
each/every invocation, so the safety of the output it unknown at any
given time.
>
> By the way, the "anything else gets represented by its hex value" code
> converts 8bit characters in an unexpected manner: For example, '\xff'
> gets translated into "&#-1;", at least on amd64. This is not unsafe,
> just invalid html. I'd suggest to change
>
> - sprintf(temp_expansion,"&#%d;",(unsigned int)input[x]);
> + sprintf(temp_expansion,"&#%d;",(unsigned char)input[x]);
>
> Christoph
Good idea - I'll get a patch in for both 2.x and HEAD (3.x) branches in CVS.
Ethan Galstad
Nagios Developer
___
Email: [email protected]
Web: www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]