Nagios Tracker #15 - cannot access if logged in

Ton Voon ton.voon at opsera.com
Wed Jul 15 01:07:31 CEST 2009

Previous message: Nagios Tracker #15 - cannot access if logged in
Next message: Nagios Tracker #15 - cannot access if logged in
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 14 Jul 2009, at 23:10, Christian Schneemann wrote:

> On Tuesday 14 July 2009 23:36:45 Ton Voon wrote:
>> On 11 Jul 2009, at 21:07, Hendrik Baecker wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
> [...]
>>>
>>> Your comment related to the IDN Domains is attached to the post, if
>>> you
>>> have more ideas on it, please send a message off-list to Ethan,
>>> Andreas
>>> Ericsson and Ton Voon.
>>
>> Is there a definitive list of all characters used in IDN Domains?
> "Yes", every character that is possible in a language can be used in  
> an
> internationalized domain name of that country, that makes a simple  
> whitelist
> impossible I think.

I would rather do a whitelist than a blacklist, especially given the  
nature of the security bug.

However, I guess a blacklist of "bad shell characters" could be  
possible.

Another option is possibly that we scan the nagios objects.dat file  
and only allow host addresses that have been specified there, which is  
another form of whitelisting, but allows IDNs.

> The iana has special character tables for every possible domain-name.
> http://www.iana.org/domains/idn-tables/
>
> I'm playing around with libidn [1], they have functions to check for  
> an
> allowed IDN domain. Maybe that could help here.
>
> [1] http://www.gnu.org/software/libidn/

This doesn't appear to be easy to embed into a third party app, but  
I'd be happy to be proven wrong.

Ton

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20090715/c1701a3f/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel

Previous message: Nagios Tracker #15 - cannot access if logged in
Next message: Nagios Tracker #15 - cannot access if logged in
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list