nrpe, arguments and security

[Peter Åstrand]

On Tue, 30 Nov 2004, Andreas Ericsson wrote:

> > +#define ALLOWED_ARGUMENT_CHARS  " !abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
> >  
> 
> ! is not currently in the safe-by-default list, as it is treated 
> different depending on where your /bin/sh points to. ,.% are, though.

But ! will never reach the shell, since it's just the internal argument 
separator. 


>I've already implemented whitelist argument chars in current NRPE (which 
>isn't publicly available, since I haven't gotten the PK authentication 
>to work properly). Thanks for participating though.

It would be great if this issue could be resolved as soon as possible. Is 
it possible that you can add your "whitelist" implementation separated 
from the PK stuff? 


-- 
Peter Åstrand		Chief Developer
Cendio			www.thinlinc.com
Teknikringen 3		www.cendio.se
583 30 Linköping        Phone: +46-13-21 46 00







-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/