Variables encoded twice

Bernd Arnold bernd_a at gmx.de
Fri Aug 1 23:18:34 CEST 2008


> The submitted parameters are processed by sanitize_cgi_input() at the
> start of the CGI. There is no added security if we process them again at
> this point.
> 
> Example: If you have a host with the name SDSL:Customer you can call
> avail.cgi for the first time with no problems. But if you change the
> timeperiod and resubmit, the hostname is converted to SDSL%3ACustomer
> and you get an error.
> 

Thanks for your example. Yes, you are right, this is not as it should work. It's a bug. The wrong conversion also happens for hosts with a backslash in its name.

I agree, there is no additional security since the browser encodes special characters.

But since we are printing out data from the user (host_name) directly to the browser, we should ensure that characters with a special HTML meaning are encoded. By default, such characters (< > " ') are not allowed (see illegal_object_name_chars in nagios.cfg). 

Think of a user who changed illegal_object_name_chars so that the apostroph ' is an allowed character in a host's name:

define host {
  use linux-server
  host_name John's server
  alias Test 5
  address 127.0.0.1
}

The output of avail.cgi without encoding is
<input type='hidden' name='host' value='John's server'>

value is set to "John", and "s server'" is incorrect HTML and ignored by my browser. Pressing the Update button now searches for a host named John.

So try
printf("<input type='hidden' name='host' value='%s'>\n",html_encode(host_name,FALSE));

in avail.c (I've only tried the host part but I assume it should apply to all your patched lines) and you'll see it works correctly then for both hosts "SDSL:Customer" and "John's Server".

Can you please verify this and resubmit the patch if you agree?

Have a nice weekend!

Regards
Bernd

-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/




More information about the Developers mailing list