nagios2 plugin output sanitization

Christoph Biedl nagios.cvvz at manchmal.in-ulm.de
Tue Nov 6 11:23:47 CET 2007


Hi,

Trying to fix Debian bug #416814 (plugin output does not get sanitized
before sending to the browser) I found that a lot of work has already
been done since 2.6. Comparing to 2.10 there several changes like

-                               printf("[%s] %s<br clear='all'>\n",date_time,temp_buffer);
+                               printf("[%s] %s<br clear='all'>\n",date_time,strip_plugin_html(temp_buffer));

BUT: The strip_plugin_html function in cgi/cgiutils.c does nothing but
returning the input. Is there a reason against using the html_encode
function in all places?  It seems to do the right job which is escaping
potentially harmful html sequences.

By the way, the "anything else gets represented by its hex value" code
converts 8bit characters in an unexpected manner: For example, '\xff'
gets translated into "&#-1;", at least on amd64. This is not unsafe,
just invalid html. I'd suggest to change

-                        sprintf(temp_expansion,"&#%d;",(unsigned int)input[x]);
+                        sprintf(temp_expansion,"&#%d;",(unsigned char)input[x]);

    Christoph

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20071106/f6b5eba2/attachment.sig>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel


More information about the Developers mailing list