Variables encoded twice

Armin Wolfermann aw at osn.de
Tue Aug 5 12:18:07 CEST 2008


* Bernd Arnold <bernd_a at gmx.de> [01.08.2008 23:18]:
> So try
> printf("<input type='hidden' name='host' value='%s'>\n",html_encode(host_name,FALSE));
> 
> in avail.c (I've only tried the host part but I assume it should apply
> to all your patched lines) and you'll see it works correctly then for
> both hosts "SDSL:Customer" and "John's Server".
> 
> Can you please verify this and resubmit the patch if you agree?

But this works only if you enable escape_html_tags in cgi.cfg.

New idea: I added a function escape_string() to clean all user supplied
strings that get printed into html form values. Works for the above test
cases independent of escape_html_tags. A updated patch is attached.

Regards,
Armin Wolfermann
OSN Online Service Nuremberg
-------------- next part --------------
Index: cgi/avail.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/avail.c,v
retrieving revision 1.50
diff -u -r1.50 avail.c
--- cgi/avail.c	23 Jun 2008 20:47:42 -0000	1.50
+++ cgi/avail.c	5 Aug 2008 10:03:57 -0000
@@ -510,13 +510,13 @@
 			if(full_log_entries==TRUE)
 				printf("<input type='hidden' name='full_log_entries' value=''>\n");
 			if(display_type==DISPLAY_HOSTGROUP_AVAIL)
-				printf("<input type='hidden' name='hostgroup' value='%s'>\n",hostgroup_name);
+				printf("<input type='hidden' name='hostgroup' value='%s'>\n",escape_string(hostgroup_name));
 			if(display_type==DISPLAY_HOST_AVAIL || display_type==DISPLAY_SERVICE_AVAIL)
-				printf("<input type='hidden' name='host' value='%s'>\n",url_encode(host_name));
+				printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
 			if(display_type==DISPLAY_SERVICE_AVAIL)
-				printf("<input type='hidden' name='service' value='%s'>\n",svc_description);
+				printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
 			if(display_type==DISPLAY_SERVICEGROUP_AVAIL)
-				printf("<input type='hidden' name='servicegroup' value='%s'>\n",url_encode(servicegroup_name));
+				printf("<input type='hidden' name='servicegroup' value='%s'>\n",escape_string(servicegroup_name));
 
 			printf("<input type='hidden' name='assumeinitialstates' value='%s'>\n",(assume_initial_states==TRUE)?"yes":"no");
 			printf("<input type='hidden' name='assumestateretention' value='%s'>\n",(assume_state_retention==TRUE)?"yes":"no");
@@ -645,13 +645,13 @@
 	        printf("<form method=\"get\" action=\"%s\">\n",AVAIL_CGI);
 		printf("<input type='hidden' name='show_log_entries' value=''>\n");
 		if(display_type==DISPLAY_HOSTGROUP_AVAIL)
-			printf("<input type='hidden' name='hostgroup' value='%s'>\n",hostgroup_name);
+			printf("<input type='hidden' name='hostgroup' value='%s'>\n",escape_string(hostgroup_name));
 		if(display_type==DISPLAY_HOST_AVAIL || display_type==DISPLAY_SERVICE_AVAIL)
-			printf("<input type='hidden' name='host' value='%s'>\n",host_name);
+			printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
 		if(display_type==DISPLAY_SERVICE_AVAIL)
-			printf("<input type='hidden' name='service' value='%s'>\n",svc_description);
+			printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
 		if(display_type==DISPLAY_SERVICEGROUP_AVAIL)
-			printf("<input type='hidden' name='servicegroup' value='%s'>\n",servicegroup_name);
+			printf("<input type='hidden' name='servicegroup' value='%s'>\n",escape_string(servicegroup_name));
 
 		printf("<table border=0 cellpadding=5>\n");
 
@@ -941,7 +941,7 @@
 
 	        printf("<form method=\"get\" action=\"%s\" name='serviceform'>\n",AVAIL_CGI);
 		printf("<input type='hidden' name='get_date_parts'>\n");
-		printf("<input type='hidden' name='host' value='%s'>\n",(firsthostpointer==NULL)?"unknown":firsthostpointer);
+		printf("<input type='hidden' name='host' value='%s'>\n",(firsthostpointer==NULL)?"unknown":escape_string(firsthostpointer));
 
 		printf("<table border=0 cellpadding=5>\n");
 
Index: cgi/cgiutils.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/cgiutils.c,v
retrieving revision 1.81
diff -u -r1.81 cgiutils.c
--- cgi/cgiutils.c	23 Jun 2008 20:47:44 -0000	1.81
+++ cgi/cgiutils.c	5 Aug 2008 10:03:58 -0000
@@ -1492,6 +1492,54 @@
 
 
 
+/* escape string for html form usage */
+char * escape_string(char *input){
+	int len,output_len;
+	int x,y;
+	char temp_expansion[10];
+
+	/* we need up to six times the space to do the conversion */
+	len=(int)strlen(input);
+	output_len=len*6;
+	if((encoded_html_string=(char *)malloc(output_len+1))==NULL)
+		return "";
+
+	strcpy(encoded_html_string,"");
+
+	for(x=0,y=0;x<=len;x++){
+
+		/* end of string */
+		if((char)input[x]==(char)'\x0'){
+			encoded_html_string[y]='\x0';
+			break;
+			}
+
+		/* alpha-numeric characters don't get encoded */
+		else if(((char)input[x]>='0' && (char)input[x]<='9') || ((char)input[x]>='A' && (char)input[x]<='Z') || ((char)input[x]>=(char)'a' && (char)input[x]<=(char)'z'))
+			encoded_html_string[y++]=input[x];
+
+		/* spaces, hyphens, periods, underscores and colons don't get encoded */
+		else if(((char)input[x]==(char)' ') || ((char)input[x]==(char)'-') || ((char)input[x]==(char)'.') || ((char)input[x]==(char)'_') || ((char)input[x]==(char)':'))
+			encoded_html_string[y++]=input[x];
+
+		/* for simplicity, all other chars represented by their numeric value */
+		else{
+			encoded_html_string[y]='\x0';
+			sprintf(temp_expansion,"&#%d;",(unsigned char)input[x]);
+			if((int)strlen(encoded_html_string)<(output_len-strlen(temp_expansion))){
+				strcat(encoded_html_string,temp_expansion);
+				y+=strlen(temp_expansion);
+				}
+			}
+	        }
+
+	encoded_html_string[y++]='\x0';
+
+	return encoded_html_string;
+        }
+
+
+
 /* determines the log file we should use (from current time) */
 void get_log_archive_to_use(int archive,char *buffer,int buffer_length){
 	struct tm *t;
Index: cgi/histogram.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/histogram.c,v
retrieving revision 1.27
diff -u -r1.27 histogram.c
--- cgi/histogram.c	19 May 2008 18:42:26 -0000	1.27
+++ cgi/histogram.c	5 Aug 2008 10:03:59 -0000
@@ -407,9 +407,9 @@
 			printf("<form method=\"GET\" action=\"%s\">\n",HISTOGRAM_CGI);
 			printf("<input type='hidden' name='t1' value='%lu'>\n",(unsigned long)t1);
 			printf("<input type='hidden' name='t2' value='%lu'>\n",(unsigned long)t2);
-			printf("<input type='hidden' name='host' value='%s'>\n",url_encode(host_name));
+			printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
 			if(display_type==DISPLAY_SERVICE_HISTOGRAM)
-				printf("<input type='hidden' name='service' value='%s'>\n",url_encode(svc_description));
+				printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
 
 
 			printf("<tr><td CLASS='optBoxItem' valign=top align=left>Report period:</td><td CLASS='optBoxItem' valign=top align=left>Assume state retention:</td></tr>\n");
@@ -746,7 +746,7 @@
 			printf("<TABLE BORDER=0 cellpadding=5>\n");
 			printf("<form method=\"GET\" action=\"%s\" name=\"serviceform\">\n",HISTOGRAM_CGI);
 			printf("<input type='hidden' name='input' value='getoptions'>\n");
-			printf("<input type='hidden' name='host' value='%s'>\n",(first_service==NULL)?"unknown":first_service);
+			printf("<input type='hidden' name='host' value='%s'>\n",(first_service==NULL)?"unknown":escape_string(first_service));
 
 			printf("<tr><td class='reportSelectSubTitle'>Service:</td>\n");
 			printf("<td class='reportSelectItem'>\n");
@@ -789,9 +789,9 @@
 
 			printf("<TABLE BORDER=0 cellpadding=5>\n");
 			printf("<form method=\"GET\" action=\"%s\">\n",HISTOGRAM_CGI);
-			printf("<input type='hidden' name='host' value='%s'>\n",url_encode(host_name));
+			printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
 			if(display_type==DISPLAY_SERVICE_HISTOGRAM)
-				printf("<input type='hidden' name='service' value='%s'>\n",url_encode(svc_description));
+				printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
 
 			printf("<tr><td class='reportSelectSubTitle' align=right>Report Period:</td>\n");
 			printf("<td class='reportSelectItem'>\n");
Index: cgi/history.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/history.c,v
retrieving revision 1.31
diff -u -r1.31 history.c
--- cgi/history.c	23 Jun 2008 20:47:44 -0000	1.31
+++ cgi/history.c	5 Aug 2008 10:03:59 -0000
@@ -204,9 +204,9 @@
 
 		printf("<table border=0 CLASS='optBox'>\n");
 		printf("<form method=\"GET\" action=\"%s\">\n",HISTORY_CGI);
-		printf("<input type='hidden' name='host' value='%s'>\n",(show_all_hosts==TRUE)?"all":url_encode(host_name));
+		printf("<input type='hidden' name='host' value='%s'>\n",(show_all_hosts==TRUE)?"all":escape_string(host_name));
 		if(display_type==DISPLAY_SERVICES)
-			printf("<input type='hidden' name='service' value='%s'>\n",url_encode(svc_description));
+			printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
 		printf("<input type='hidden' name='archive' value='%d'>\n",log_archive);
 
 		printf("<tr>\n");
Index: cgi/notifications.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/notifications.c,v
retrieving revision 1.25
diff -u -r1.25 notifications.c
--- cgi/notifications.c	19 May 2008 18:42:27 -0000	1.25
+++ cgi/notifications.c	5 Aug 2008 10:03:59 -0000
@@ -212,11 +212,11 @@
 		printf("<table border=0 CLASS='optBox'>\n");
 		printf("<form method='GET' action='%s'>\n",NOTIFICATIONS_CGI);
 		if(query_type==FIND_SERVICE){
-			printf("<input type='hidden' name='host' value='%s'>\n",url_encode(query_host_name));
-			printf("<input type='hidden' name='service' value='%s'>\n",url_encode(query_svc_description));
+			printf("<input type='hidden' name='host' value='%s'>\n",escape_string(query_host_name));
+			printf("<input type='hidden' name='service' value='%s'>\n",escape_string(query_svc_description));
 	                }
 		else
-			printf("<input type='hidden' name='%s' value='%s'>\n",(query_type==FIND_HOST)?"host":"contact",url_encode((query_type==FIND_HOST)?query_host_name:query_contact_name));
+			printf("<input type='hidden' name='%s' value='%s'>\n",(query_type==FIND_HOST)?"host":"contact",(query_type==FIND_HOST)?escape_string(query_host_name):escape_string(query_contact_name));
 		printf("<input type='hidden' name='archive' value='%d'>\n",log_archive);
 		printf("<tr>\n");
 		if(query_type==FIND_SERVICE)
Index: cgi/statusmap.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/statusmap.c,v
retrieving revision 1.40
diff -u -r1.40 statusmap.c
--- cgi/statusmap.c	19 May 2008 18:42:28 -0000	1.40
+++ cgi/statusmap.c	5 Aug 2008 10:04:02 -0000
@@ -700,8 +700,8 @@
 		printf("<form method=\"POST\" action=\"%s\">\n",STATUSMAP_CGI);
 		printf("<table border=0 CLASS='optBox'>\n");
 		printf("<tr><td valign=top>\n");
-		printf("<input type='hidden' name='host' value='%s'>\n",url_encode(host_name));
-		printf("<input type='hidden' name='layout' value='%d'>\n",layout_method);
+		printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
+		printf("<input type='hidden' name='layout' value='%d'>\n",escape_string(layout_method));
 
 		printf("</td><td valign=top>\n");
 
@@ -2390,7 +2390,7 @@
 		if(get_method==TRUE)
 			printf("&layer=%s",temp_layer->layer_name);
 		else
-			printf("<input type='hidden' name='layer' value='%s'>\n",temp_layer->layer_name);
+			printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name));
 	        }
 
 	if(get_method==TRUE)
Index: cgi/trends.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/trends.c,v
retrieving revision 1.41
diff -u -r1.41 trends.c
--- cgi/trends.c	23 Jun 2008 20:47:46 -0000	1.41
+++ cgi/trends.c	5 Aug 2008 10:04:03 -0000
@@ -454,9 +454,9 @@
 				printf("<input type='hidden' name='nomap' value=''>\n");
 			printf("<input type='hidden' name='t1' value='%lu'>\n",(unsigned long)t1);
 			printf("<input type='hidden' name='t2' value='%lu'>\n",(unsigned long)t2);
-			printf("<input type='hidden' name='host' value='%s'>\n",url_encode(host_name));
+			printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
 			if(display_type==DISPLAY_SERVICE_TRENDS)
-				printf("<input type='hidden' name='service' value='%s'>\n",url_encode(svc_description));
+				printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
 
 			printf("<input type='hidden' name='assumeinitialstates' value='%s'>\n",(assume_initial_states==TRUE)?"yes":"no");
 			printf("<input type='hidden' name='assumestateretention' value='%s'>\n",(assume_state_retention==TRUE)?"yes":"no");
@@ -858,7 +858,7 @@
 			printf("<TABLE BORDER=0 cellpadding=5>\n");
 			printf("<form method=\"GET\" action=\"%s\" name=\"serviceform\">\n",TRENDS_CGI);
 			printf("<input type='hidden' name='input' value='getoptions'>\n");
-			printf("<input type='hidden' name='host' value='%s'>\n",(first_service==NULL)?"unknown":first_service);
+			printf("<input type='hidden' name='host' value='%s'>\n",(first_service==NULL)?"unknown":escape_string(first_service));
 
 			printf("<tr><td class='reportSelectSubTitle'>Service:</td>\n");
 			printf("<td class='reportSelectItem'>\n");
@@ -901,9 +901,9 @@
 
 			printf("<TABLE BORDER=0 CELLPADDING=5>\n");
 			printf("<form method=\"GET\" action=\"%s\">\n",TRENDS_CGI);
-			printf("<input type='hidden' name='host' value='%s'>\n",host_name);
+			printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
 			if(display_type==DISPLAY_SERVICE_TRENDS)
-				printf("<input type='hidden' name='service' value='%s'>\n",svc_description);
+				printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
 
 			printf("<tr><td class='reportSelectSubTitle' align=right>Report period:</td>\n");
 			printf("<td class='reportSelectItem'>\n");
Index: include/cgiutils.h.in
===================================================================
RCS file: /cvsroot/nagios/nagios/include/cgiutils.h.in,v
retrieving revision 1.27
diff -u -r1.27 cgiutils.h.in
--- include/cgiutils.h.in	10 Nov 2007 23:34:26 -0000	1.27
+++ include/cgiutils.h.in	5 Aug 2008 10:04:04 -0000
@@ -484,6 +484,7 @@
 
 char * url_encode(char *);		        		/* encodes a string in proper URL format */
 char * html_encode(char *,int);					/* encodes a string in HTML format (for what the user sees) */
+char * escape_string(char *);					/* escape string for html form usage */
 
 void get_time_breakdown(unsigned long,int *,int *,int *,int *);	/* given total seconds, get days, hours, minutes, seconds */
 
-------------- next part --------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel


More information about the Developers mailing list