nagios2 plugin output sanitization

[Ethan Galstad]

Christoph Biedl wrote:
> Hi,
> 
> Trying to fix Debian bug #416814 (plugin output does not get sanitized
> before sending to the browser) I found that a lot of work has already
> been done since 2.6. Comparing to 2.10 there several changes like
> 
> -                               printf("[%s] %s<br clear='all'>\n",date_time,temp_buffer);
> +                               printf("[%s] %s<br clear='all'>\n",date_time,strip_plugin_html(temp_buffer));
> 
> BUT: The strip_plugin_html function in cgi/cgiutils.c does nothing but
> returning the input. Is there a reason against using the html_encode
> function in all places?  It seems to do the right job which is escaping
> potentially harmful html sequences.

The only thing that really needs to be escaped/sanitized in my opinion 
is the plugin output.  Everything else (host names, etc.) is specified 
by the admin in the config files.  The output from plugin can vary 
each/every invocation, so the safety of the output it unknown at any 
given time.

> 
> By the way, the "anything else gets represented by its hex value" code
> converts 8bit characters in an unexpected manner: For example, '\xff'
> gets translated into "&#-1;", at least on amd64. This is not unsafe,
> just invalid html. I'd suggest to change
> 
> -                        sprintf(temp_expansion,"&#%d;",(unsigned int)input[x]);
> +                        sprintf(temp_expansion,"&#%d;",(unsigned char)input[x]);
> 
>     Christoph

Good idea - I'll get a patch in for both 2.x and HEAD (3.x) branches in CVS.


Ethan Galstad
Nagios Developer
___
Email: nagios at nagios.org
Web:   www.nagios.org

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/