Bug in statuswml.cgi with Acknowledging Services
Jon Angliss
jon at netdork.net
Tue Aug 12 23:51:39 CEST 2008
On Tue, 12 Aug 2008 10:15:27 +0200, Armin Wolfermann <aw at osn.de>
wrote:
>* Jon Angliss <jon at netdork.net> [12.08.2008 09:44]:
>> On Mon, 11 Aug 2008 13:41:38 -0700 (PDT), Benjamin Schmaus
>> <schmaustech at yahoo.com> wrote:
>>
>> > It appears there is a bug if you try to acknowledge a critical state
>> > via the WAP interface for a service on the host in Nagios 3.x.
>>
>> Is this what has been causing the "You're not authorized" messages
>> I've been getting when trying to ack stuff?
>
>Take a look at the thread "Variables encoded twice" and the included
>patch. I can't test the WAP interface at the moment but I suppose the
>problem is identical. You could try to substitute url_encode with the
>new escape_string function and check if it works.
I read the thread, and it looks like the variables are being double
encoded, which is fine, but the issue here is that a variable being
fed into url_encode is coming out as a different variable. For
example, I have an FTP server, with a Disk check. The setup looks
like this:
define host {
host_name FTPSrvr
[..]
}
define service {
service_description Disk D
[..]
}
The WML output is looking like this:
<go href='cmd.cgi' method='post'><postfield name='host'
value='FTPSrvr'/><postfield name='service' value='FTPSrvr'/><postfield
name='com_author' value='$(name)'/><postfield name='com_data'
value='$(comment)'/><postfield name='persistent' value=''/><postfield
name='send_notification' value=''/><postfield name='cmd_typ'
value='34'/><postfield name='cmd_mod' value='2'/><postfield
name='content' value='wml'/></go>
As you can see, the service name is actually the host name. However,
if I apply the change Benjamin mentions, it comes out looking like
this:
<go href='cmd.cgi' method='post'><postfield name='host'
value='FTPSrvr'/><postfield name='service' value='Disk D'/><postfield
name='com_author' value='$(name)'/><postfield name='com_data'
value='$(comment)'/><postfield name='persistent' value=''/><postfield
name='send_notification' value=''/><postfield name='cmd_typ'
value='34'/><postfield name='cmd_mod' value='2'/><postfield
name='content' value='wml'/></go>
This hints that url_encode is not encoding the variable that is being
passed in. As a test, I decided to flip the variables around to see
what'd happen, so it now reads:
url_encode(service_desc),url_encode(host_name)
And sure enough, the service description was properly encoded (space
was replaced with a + sign), but the variable was outputted for both
the host_name encoding, and service_desc encoding.
While I don't doubt there is an issue with double encoding stuff (I
had that issue once with an app I work on), there is clearly an issue
with using url_encode twice in a row like is being used here.
--
Jon Angliss
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
More information about the Developers
mailing list