URL Escaping in action_url -- Bug?

[Don Tetreault]

Hi Thomas,

I am referring to the URL in the CGI frame generated as "Current Network
Status" and returned to the browser. By way of example, here's a
relevant line, as generated by v2.8 and v3.0.6 using identical
configurations for the service extension:

Version 2.8
<TD align=center valign=center><A
HREF='/nagios_ext/cgi-bin/disk.cgi?h=bk02&s=Disk+--+System'
TARGET='_blank'><IMG SRC='/nagios/images/action.gif' BORDER=0 WIDTH=20
HEIGHT=20 ALT='Perform Extra Service Actions' TITLE='Perform Extra
Service Actions'></A></TD>

Version 3.0.6
<TD align=center valign=center><A
HREF='/nagios_ext/cgi-bin/disk.cgi?h=bk02&s=Disk -- System'
TARGET='_blank'><IMG SRC='/nagios/images/action.gif' BORDER=0 WIDTH=20
HEIGHT=20 ALT='Perform Extra Service Actions' TITLE='Perform Extra
Service Actions'></A></TD>

Note that the HREF strings contains spaces in the 3.0.6 instance.

Another pair of lines from the same source output files, however, have
indentical output, with the spaces escaped by plus signs:

Version 2.8
<TD ALIGN=LEFT valign=center CLASS='statusOdd'><A
HREF='extinfo.cgi?type=2&host=bk02&service=Disk+--+System'>Disk --
System</A></TD></TR>

Version 3.0.6
<TD ALIGN=LEFT valign=center CLASS='statusOdd'><A
HREF='extinfo.cgi?type=2&host=bk02&service=Disk+--+System'>Disk --
System</A></TD></TR>

It turns out that our target CGI script handles both cases, since the
query string is cleaned up with underscores replacing non-alphanumerics,
but parts of these are used in filenames, where the %20 inserted by
Firefox could be interpreted as _20 instead of _, for example (I haven't
tested for that yet).

Thank you for the repsonse.

Don


-----Original Message-----
From: Thomas Guyot-Sionnest [mailto:dermoth at aei.ca] 
Sent: March 18, 2009 8:15 PM
To: Nagios Developers List
Subject: Re: [Nagios-devel] URL Escaping in action_url -- Bug?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18/03/09 07:31 PM, Don Tetreault wrote:
> Hi,
>  
> We are in the process on upgrading fromNagios 2.8 to Nagios 3.0.6. Our

> original configuration includes serviceextinfo definitions which set 
> the action_url to include a pair of macros as follows:
>  
> define serviceextinfo{
>         hostgroup_name          meta-windows
>         service_description     disk usage on C:
>         action_url     
> /nagios_ext/cgi-bin/disk.cgi?h=$HOSTNAME$&s=$SERVICEDESC$
> }
>  
> In version 2.8, the resulting HREF URL was properly escaped (with a 
> plus sign replacing each space in the service description), but the 
> spaces remain unchanged in version 3.0.6. A check of the apache 
> access_log shows that Firefox replaces the space with %20 in the HTTP 
> request, but I am concerned about unexpected behavior in our 
> production environment.
>  
> Is this a bug? Should I replace the macros with literal strings, 
> properly escaped? Is there a better solution?
>  
> Thank you in advance for any guidance.

Is that on the CGI page or when you use the url in commands, i.e. in
notification emails? AKAIK it shouldn't be a problem in a web page as
browsers properly encode URLs already. It can be a problem in text
emails where the email client is expected to detect and enable links.

I reported a problem in 3.0.1 - url was not escaped at all. Although it
should have been fixed in 3.0.2, I preferred to stick with 3.0.1
(actually a CVS version with many fixes) as the fix was possibly
affecting many other macro processing and I feared it could trigger more
bugs.

If you're having a problem using the url in commands, I would be very
interested to assist you (can be done in private).

- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJwaqU6dZ+Kt5BchYRAqzpAKDOJkKyfhe3SMMDVJd/7NOSAi/BZwCg17Cd
Qp15RPknpPlpHoRmcPff1J4=
=SvBW
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based
development software that enables intelligent coding and step-through
debugging. Download the free 60 day trial.
http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel

This e-mail and any attachments may contain confidential and
privileged information. If you are not the intended recipient,
please notify the sender immediately by return e-mail, delete this
e-mail and destroy any copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and may be illegal.

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com