Variables encoded twice

Bernd Arnold bernd_a at gmx.de
Thu Jul 31 21:04:01 CEST 2008


Hi,

the patch from Armin is against 1.50 (current version in CVS).

The url_encode(...) calls were added in version 1.49, see http://nagios.cvs.sourceforge.net/nagios/nagios/cgi/avail.c?r1=1.48&r2=1.49.

1.49 is titled "XSS vulnerability fixes".

I don't know the depth of security, but unencoded strings can change the behavior if something like special characters (' < > &) are submitted. I think it's important that such things are encrypted, though I also think it's sufficient when a function like PHP's htmlentities function is used (keeps spaces as spaces, not +). Maybe host_name for example cannot contain such characters, but it's safer to encode everything.

http://de.php.net/manual/de/function.htmlentities.php (sorry for this comparison).

So better replace url_encode(...) by html_encode(...)?

Regards
Bernd


-------- Original-Nachricht --------
> Datum: Thu, 31 Jul 2008 19:06:51 +0100
> Von: Andy Shellam <andy.shellam-lists at mailnetwork.co.uk>
> An: nagios-devel at lists.sourceforge.net
> Betreff: Re: [Nagios-devel] Variables encoded twice

> Hi Armin,
> 
> What Nagios version is this patch against?  I only ask because I 
> submitted a very similar patch (albeit in a non-diff format) which 
> appears to have made it into 3.0.3.
> 
> Thanks,
> 
> Andy
> 
> Armin Wolfermann wrote:
> > Hi all,
> >
> > in several CGIs the values of hidden form variables are encoded while
> > this will be done again automatically on form submission. The patch
> > against current CVS:
> >
> > Index: avail.c
> > ===================================================================
> > RCS file: /cvsroot/nagios/nagios/cgi/avail.c,v
> > retrieving revision 1.50
> > diff -u -r1.50 avail.c
> > --- avail.c	23 Jun 2008 20:47:42 -0000	1.50
> > +++ avail.c	31 Jul 2008 14:23:09 -0000
> > @@ -512,11 +512,11 @@
> >  			if(display_type==DISPLAY_HOSTGROUP_AVAIL)
> >  				printf("<input type='hidden' name='hostgroup'
> value='%s'>\n",hostgroup_name);
> >  			if(display_type==DISPLAY_HOST_AVAIL ||
> display_type==DISPLAY_SERVICE_AVAIL)
> > -				printf("<input type='hidden' name='host'
> value='%s'>\n",url_encode(host_name));
> > +				printf("<input type='hidden' name='host' value='%s'>\n",host_name);
> >  			if(display_type==DISPLAY_SERVICE_AVAIL)
> >  				printf("<input type='hidden' name='service'
> value='%s'>\n",svc_description);
> >  			if(display_type==DISPLAY_SERVICEGROUP_AVAIL)
> > -				printf("<input type='hidden' name='servicegroup'
> value='%s'>\n",url_encode(servicegroup_name));
> > +				printf("<input type='hidden' name='servicegroup'
> value='%s'>\n",servicegroup_name);
> >  
> >  			printf("<input type='hidden' name='assumeinitialstates'
> value='%s'>\n",(assume_initial_states==TRUE)?"yes":"no");
> >  			printf("<input type='hidden' name='assumestateretention'
> value='%s'>\n",(assume_state_retention==TRUE)?"yes":"no");
> > Index: histogram.c
> > ===================================================================
> > RCS file: /cvsroot/nagios/nagios/cgi/histogram.c,v
> > retrieving revision 1.27
> > diff -u -r1.27 histogram.c
> > --- histogram.c	19 May 2008 18:42:26 -0000	1.27
> > +++ histogram.c	31 Jul 2008 14:23:10 -0000
> > @@ -407,9 +407,9 @@
> >  			printf("<form method=\"GET\" action=\"%s\">\n",HISTOGRAM_CGI);
> >  			printf("<input type='hidden' name='t1' value='%lu'>\n",(unsigned
> long)t1);
> >  			printf("<input type='hidden' name='t2' value='%lu'>\n",(unsigned
> long)t2);
> > -			printf("<input type='hidden' name='host'
> value='%s'>\n",url_encode(host_name));
> > +			printf("<input type='hidden' name='host' value='%s'>\n",host_name);
> >  			if(display_type==DISPLAY_SERVICE_HISTOGRAM)
> > -				printf("<input type='hidden' name='service'
> value='%s'>\n",url_encode(svc_description));
> > +				printf("<input type='hidden' name='service'
> value='%s'>\n",svc_description);
> >  
> >  
> >  			printf("<tr><td CLASS='optBoxItem' valign=top align=left>Report
> period:</td><td CLASS='optBoxItem' valign=top align=left>Assume state
> retention:</td></tr>\n");
> > @@ -789,9 +789,9 @@
> >  
> >  			printf("<TABLE BORDER=0 cellpadding=5>\n");
> >  			printf("<form method=\"GET\" action=\"%s\">\n",HISTOGRAM_CGI);
> > -			printf("<input type='hidden' name='host'
> value='%s'>\n",url_encode(host_name));
> > +			printf("<input type='hidden' name='host' value='%s'>\n",host_name);
> >  			if(display_type==DISPLAY_SERVICE_HISTOGRAM)
> > -				printf("<input type='hidden' name='service'
> value='%s'>\n",url_encode(svc_description));
> > +				printf("<input type='hidden' name='service'
> value='%s'>\n",svc_description);
> >  
> >  			printf("<tr><td class='reportSelectSubTitle' align=right>Report
> Period:</td>\n");
> >  			printf("<td class='reportSelectItem'>\n");
> > Index: history.c
> > ===================================================================
> > RCS file: /cvsroot/nagios/nagios/cgi/history.c,v
> > retrieving revision 1.31
> > diff -u -r1.31 history.c
> > --- history.c	23 Jun 2008 20:47:44 -0000	1.31
> > +++ history.c	31 Jul 2008 14:23:10 -0000
> > @@ -204,9 +204,9 @@
> >  
> >  		printf("<table border=0 CLASS='optBox'>\n");
> >  		printf("<form method=\"GET\" action=\"%s\">\n",HISTORY_CGI);
> > -		printf("<input type='hidden' name='host'
> value='%s'>\n",(show_all_hosts==TRUE)?"all":url_encode(host_name));
> > +		printf("<input type='hidden' name='host'
> value='%s'>\n",(show_all_hosts==TRUE)?"all":host_name);
> >  		if(display_type==DISPLAY_SERVICES)
> > -			printf("<input type='hidden' name='service'
> value='%s'>\n",url_encode(svc_description));
> > +			printf("<input type='hidden' name='service'
> value='%s'>\n",svc_description);
> >  		printf("<input type='hidden' name='archive'
> value='%d'>\n",log_archive);
> >  
> >  		printf("<tr>\n");
> > Index: notifications.c
> > ===================================================================
> > RCS file: /cvsroot/nagios/nagios/cgi/notifications.c,v
> > retrieving revision 1.25
> > diff -u -r1.25 notifications.c
> > --- notifications.c	19 May 2008 18:42:27 -0000	1.25
> > +++ notifications.c	31 Jul 2008 14:23:10 -0000
> > @@ -212,11 +212,11 @@
> >  		printf("<table border=0 CLASS='optBox'>\n");
> >  		printf("<form method='GET' action='%s'>\n",NOTIFICATIONS_CGI);
> >  		if(query_type==FIND_SERVICE){
> > -			printf("<input type='hidden' name='host'
> value='%s'>\n",url_encode(query_host_name));
> > -			printf("<input type='hidden' name='service'
> value='%s'>\n",url_encode(query_svc_description));
> > +			printf("<input type='hidden' name='host'
> value='%s'>\n",query_host_name);
> > +			printf("<input type='hidden' name='service'
> value='%s'>\n",query_svc_description);
> >  	                }
> >  		else
> > -			printf("<input type='hidden' name='%s'
> value='%s'>\n",(query_type==FIND_HOST)?"host":"contact",url_encode((query_type==FIND_HOST)?query_host_name:query_contact_name));
> > +			printf("<input type='hidden' name='%s'
> value='%s'>\n",(query_type==FIND_HOST)?"host":"contact",(query_type==FIND_HOST)?query_host_name:query_contact_name);
> >  		printf("<input type='hidden' name='archive'
> value='%d'>\n",log_archive);
> >  		printf("<tr>\n");
> >  		if(query_type==FIND_SERVICE)
> > Index: statusmap.c
> > ===================================================================
> > RCS file: /cvsroot/nagios/nagios/cgi/statusmap.c,v
> > retrieving revision 1.40
> > diff -u -r1.40 statusmap.c
> > --- statusmap.c	19 May 2008 18:42:28 -0000	1.40
> > +++ statusmap.c	31 Jul 2008 14:23:13 -0000
> > @@ -700,7 +700,7 @@
> >  		printf("<form method=\"POST\" action=\"%s\">\n",STATUSMAP_CGI);
> >  		printf("<table border=0 CLASS='optBox'>\n");
> >  		printf("<tr><td valign=top>\n");
> > -		printf("<input type='hidden' name='host'
> value='%s'>\n",url_encode(host_name));
> > +		printf("<input type='hidden' name='host' value='%s'>\n",host_name);
> >  		printf("<input type='hidden' name='layout'
> value='%d'>\n",layout_method);
> >  
> >  		printf("</td><td valign=top>\n");
> > Index: trends.c
> > ===================================================================
> > RCS file: /cvsroot/nagios/nagios/cgi/trends.c,v
> > retrieving revision 1.41
> > diff -u -r1.41 trends.c
> > --- trends.c	23 Jun 2008 20:47:46 -0000	1.41
> > +++ trends.c	31 Jul 2008 14:23:15 -0000
> > @@ -454,9 +454,9 @@
> >  				printf("<input type='hidden' name='nomap' value=''>\n");
> >  			printf("<input type='hidden' name='t1' value='%lu'>\n",(unsigned
> long)t1);
> >  			printf("<input type='hidden' name='t2' value='%lu'>\n",(unsigned
> long)t2);
> > -			printf("<input type='hidden' name='host'
> value='%s'>\n",url_encode(host_name));
> > +			printf("<input type='hidden' name='host' value='%s'>\n",host_name);
> >  			if(display_type==DISPLAY_SERVICE_TRENDS)
> > -				printf("<input type='hidden' name='service'
> value='%s'>\n",url_encode(svc_description));
> > +				printf("<input type='hidden' name='service'
> value='%s'>\n",svc_description);
> >  
> >  			printf("<input type='hidden' name='assumeinitialstates'
> value='%s'>\n",(assume_initial_states==TRUE)?"yes":"no");
> >  			printf("<input type='hidden' name='assumestateretention'
> value='%s'>\n",(assume_state_retention==TRUE)?"yes":"no");
> >
> >
> > Regards,
> > Armin Wolfermann
> > OSN Online Service Nuremberg
> >
> >
> -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> > Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the
> world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > Nagios-devel mailing list
> > Nagios-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nagios-devel
> >   
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Nagios-devel mailing list
> Nagios-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-devel

-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/




More information about the Developers mailing list