nagios2 plugin output sanitization

[Andreas Ericsson]

Christoph Biedl wrote:
> John P. Rouillard wrote...
> 
>> Returning HTML from the plugin is not a bad thing especially with the
>> larger output size we now have. I can easily see the plugin doing some
>> diagnosis and providing a link to the page that describes the problem
>> and solution for an operator to implement.
> 
> This makes sense.  But nagios will have to default to "plugin may send
> harmful content", at least as long as plugins forward third parties data
> as-is, e.g. the greeting banner of a NNTP server tested.

No, the *cgi's* can possibly default to "plugin may send harmful content".
Nagios core shouldn't care, for reasons stated elsewhere in this thread.

>  Volunteers to
> audit all plugings currently availabe?
> 
> In other words, the current state of nagios2 allows another XSS attack
> although this cannot be done easily.  My primary intent is to have that
> problem fixed.
> 

Sounds as if you just volunteered yourself. It's usually the best way to
get anything done in oss projects. I'll review your patches, but I'm not
all that fuzzed about this myself, since the attack vector is so narrow
one could probably split tachyons with it.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/