Antwort: clean_macro_chars() no longer called in utils.c in 2.0b1 ? [Virus scanned]

Sascha Runschke srunschke at
Fri Feb 4 13:37:28 CET 2005

Hello Stanley,

> Nagios 2.0b1 appears not to clean illegal characters from certain macros 

> as documented.

I've already tried to point that out a few times, noone listened though ;)

> Whereas 1.2 has a logical case formed by an 'if then else if ..' chain 
> to clean the macro content depending on the macro name, the 2.0b1 code 
> relies on a flag named clean_macro that is only cleared (as far as I 
> can see).

Not only does that hamper the functionality of Nagios by quite a bit
(I still can't see the output of check_nt DISKUSAGE Servicechecks...),
but it poses a BIG security risk too.
Just think of handcrafted passive checks. It would take me aprox 5 mins
to break the system apart, since some macro outputs are parsed by 


Sascha Runschke
Netzwerk Administration

Robert-Bosch-Str. 1
40668 Meerbusch

Tel.:+49 (0) 2150.9153.226
mailto:SRunschke at
Der Inhalt dieser Email sowie die Anhänge sind ausschließlich für den 
bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat 
dieser Email oder dessen Vertreter sein sollten, so beachten Sie bitte, 
daß jede Form der Kenntnisnahme, Veröffentlichung,  Vervielfältigung oder 
Weitergabe des Inhalts dieser Email unzulässig ist. Wir möchten Sie 
außerdem darauf hinweisen, daß die Kommunikation per Email über das 
Internet unsicher ist, da fuer unberechtigte Dritte grundsätzlich die 
Möglichkeit der Kenntnisnahme und Manipulation besteht. Wenn Sie diese 
Nachricht versehentlich erhalten, informieren Sie bitte den Absender und 
löschen diese Nachricht mit den Anhängen. Herzlichen Dank

The information and any attachments contained in this email are intended 
solely for the addressee. Access to this email by anyone else is 
unauthorized. If you are not the intended recipient, any form of 
disclosure, reproduction, distribution or any action taken or refrained 
from in reliance on it, is prohibited and may be unlawful. We also like to 
inform you that communication via email over the internet is insecure 
because third parties may have the possibility to access and manipulate 
emails. If you have received the message in error, please advise the 
sender and delete the message and any attachments. Thank you very much.

This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at

More information about the Developers mailing list