Bug in statuswml.cgi with Acknowledging Services

Jon Angliss jon at netdork.net
Tue Aug 12 23:51:39 CEST 2008


On Tue, 12 Aug 2008 10:15:27 +0200, Armin Wolfermann <aw at osn.de>
wrote:

>* Jon Angliss <jon at netdork.net> [12.08.2008 09:44]:
>> On Mon, 11 Aug 2008 13:41:38 -0700 (PDT), Benjamin Schmaus
>> <schmaustech at yahoo.com> wrote:
>> 
>> > It appears there is a bug if you try to acknowledge a critical state
>> > via the WAP interface for a service on the host in Nagios 3.x.
>> 
>> Is this what has been causing the "You're not authorized" messages
>> I've been getting when trying to ack stuff?  
>
>Take a look at the thread "Variables encoded twice" and the included
>patch. I can't test the WAP interface at the moment but I suppose the
>problem is identical. You could try to substitute url_encode with the
>new escape_string function and check if it works.

I read the thread, and it looks like the variables are being double
encoded, which is fine, but the issue here is that a variable being
fed into url_encode is coming out as a different variable.  For
example, I have an FTP server, with a Disk check.  The setup looks
like this:

define host {
    host_name   FTPSrvr
  [..]
}

define service {
  service_description Disk D
  [..]
}

The WML output is looking like this:

<go href='cmd.cgi' method='post'><postfield name='host'
value='FTPSrvr'/><postfield name='service' value='FTPSrvr'/><postfield
name='com_author' value='$(name)'/><postfield name='com_data'
value='$(comment)'/><postfield name='persistent' value=''/><postfield
name='send_notification' value=''/><postfield name='cmd_typ'
value='34'/><postfield name='cmd_mod' value='2'/><postfield
name='content' value='wml'/></go>

As you can see, the service name is actually the host name.  However,
if I apply the change Benjamin mentions, it comes out looking like
this:

<go href='cmd.cgi' method='post'><postfield name='host'
value='FTPSrvr'/><postfield name='service' value='Disk D'/><postfield
name='com_author' value='$(name)'/><postfield name='com_data'
value='$(comment)'/><postfield name='persistent' value=''/><postfield
name='send_notification' value=''/><postfield name='cmd_typ'
value='34'/><postfield name='cmd_mod' value='2'/><postfield
name='content' value='wml'/></go>

This hints that url_encode is not encoding the variable that is being
passed in.  As a test, I decided to flip the variables around to see
what'd happen, so it now reads:

 url_encode(service_desc),url_encode(host_name)

And sure enough, the service description was properly encoded (space
was replaced with a + sign), but the variable was outputted for both
the host_name encoding, and service_desc encoding.

While I don't doubt there is an issue with double encoding stuff (I
had that issue once with an app I work on), there is clearly an issue
with using url_encode twice in a row like is being used here.
-- 
Jon Angliss


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/




More information about the Developers mailing list