nagios2 plugin output sanitization

[Ethan Galstad]

Christoph Biedl wrote:
> Ethan Galstad wrote...
> 
>> The only thing that really needs to be escaped/sanitized in my opinion 
>> is the plugin output.  Everything else (host names, etc.) is specified 
>> by the admin in the config files.  The output from plugin can vary 
>> each/every invocation, so the safety of the output it unknown at any 
>> given time.
> 
> That's my point.  The plugin output is still sent to the browser as-is,
> in other words,
> 
> | define command {
> |     command_name xss
> |     command_line /bin/echo 'Hello <font color="red" size="+10">world</font>.'
> | }
> 
> stil opens a door for a lot of funny things as long as an attacker is
> able to control plugin output.
> 
> My workaround, as also sent to the Debian BTS:
> 
> --- nagios-2.10.ORIG/cgi/cgiutils.c     2007-10-21 16:39:51.000000000 +0200
> +++ nagios-2.10/cgi/cgiutils.c  2007-11-07 10:11:05.000000000 +0100
> @@ -1418,8 +1418,8 @@
>  char * strip_plugin_html(char *input){
> 
>         /* TODO */
> -
> -       return input;
> +       /* Use html_encode for the time being */
> +       return html_encode (input);
>         }
> 
>     Christoph
> 

A patch will be in CVS shortly.  I'll replace all strip_plugin_html() 
calls with html_encode(), so it syncs with the 3.x stuff.


Ethan Galstad
Nagios Developer
___
Email: nagios at nagios.org
Web:   www.nagios.org

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/