Variables encoded twice
Armin Wolfermann
aw at osn.de
Tue Aug 5 12:18:07 CEST 2008
* Bernd Arnold <bernd_a at gmx.de> [01.08.2008 23:18]:
> So try
> printf("<input type='hidden' name='host' value='%s'>\n",html_encode(host_name,FALSE));
>
> in avail.c (I've only tried the host part but I assume it should apply
> to all your patched lines) and you'll see it works correctly then for
> both hosts "SDSL:Customer" and "John's Server".
>
> Can you please verify this and resubmit the patch if you agree?
But this works only if you enable escape_html_tags in cgi.cfg.
New idea: I added a function escape_string() to clean all user supplied
strings that get printed into html form values. Works for the above test
cases independent of escape_html_tags. A updated patch is attached.
Regards,
Armin Wolfermann
OSN Online Service Nuremberg
-------------- next part --------------
Index: cgi/avail.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/avail.c,v
retrieving revision 1.50
diff -u -r1.50 avail.c
--- cgi/avail.c 23 Jun 2008 20:47:42 -0000 1.50
+++ cgi/avail.c 5 Aug 2008 10:03:57 -0000
@@ -510,13 +510,13 @@
if(full_log_entries==TRUE)
printf("<input type='hidden' name='full_log_entries' value=''>\n");
if(display_type==DISPLAY_HOSTGROUP_AVAIL)
- printf("<input type='hidden' name='hostgroup' value='%s'>\n",hostgroup_name);
+ printf("<input type='hidden' name='hostgroup' value='%s'>\n",escape_string(hostgroup_name));
if(display_type==DISPLAY_HOST_AVAIL || display_type==DISPLAY_SERVICE_AVAIL)
- printf("<input type='hidden' name='host' value='%s'>\n",url_encode(host_name));
+ printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
if(display_type==DISPLAY_SERVICE_AVAIL)
- printf("<input type='hidden' name='service' value='%s'>\n",svc_description);
+ printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
if(display_type==DISPLAY_SERVICEGROUP_AVAIL)
- printf("<input type='hidden' name='servicegroup' value='%s'>\n",url_encode(servicegroup_name));
+ printf("<input type='hidden' name='servicegroup' value='%s'>\n",escape_string(servicegroup_name));
printf("<input type='hidden' name='assumeinitialstates' value='%s'>\n",(assume_initial_states==TRUE)?"yes":"no");
printf("<input type='hidden' name='assumestateretention' value='%s'>\n",(assume_state_retention==TRUE)?"yes":"no");
@@ -645,13 +645,13 @@
printf("<form method=\"get\" action=\"%s\">\n",AVAIL_CGI);
printf("<input type='hidden' name='show_log_entries' value=''>\n");
if(display_type==DISPLAY_HOSTGROUP_AVAIL)
- printf("<input type='hidden' name='hostgroup' value='%s'>\n",hostgroup_name);
+ printf("<input type='hidden' name='hostgroup' value='%s'>\n",escape_string(hostgroup_name));
if(display_type==DISPLAY_HOST_AVAIL || display_type==DISPLAY_SERVICE_AVAIL)
- printf("<input type='hidden' name='host' value='%s'>\n",host_name);
+ printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
if(display_type==DISPLAY_SERVICE_AVAIL)
- printf("<input type='hidden' name='service' value='%s'>\n",svc_description);
+ printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
if(display_type==DISPLAY_SERVICEGROUP_AVAIL)
- printf("<input type='hidden' name='servicegroup' value='%s'>\n",servicegroup_name);
+ printf("<input type='hidden' name='servicegroup' value='%s'>\n",escape_string(servicegroup_name));
printf("<table border=0 cellpadding=5>\n");
@@ -941,7 +941,7 @@
printf("<form method=\"get\" action=\"%s\" name='serviceform'>\n",AVAIL_CGI);
printf("<input type='hidden' name='get_date_parts'>\n");
- printf("<input type='hidden' name='host' value='%s'>\n",(firsthostpointer==NULL)?"unknown":firsthostpointer);
+ printf("<input type='hidden' name='host' value='%s'>\n",(firsthostpointer==NULL)?"unknown":escape_string(firsthostpointer));
printf("<table border=0 cellpadding=5>\n");
Index: cgi/cgiutils.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/cgiutils.c,v
retrieving revision 1.81
diff -u -r1.81 cgiutils.c
--- cgi/cgiutils.c 23 Jun 2008 20:47:44 -0000 1.81
+++ cgi/cgiutils.c 5 Aug 2008 10:03:58 -0000
@@ -1492,6 +1492,54 @@
+/* escape string for html form usage */
+char * escape_string(char *input){
+ int len,output_len;
+ int x,y;
+ char temp_expansion[10];
+
+ /* we need up to six times the space to do the conversion */
+ len=(int)strlen(input);
+ output_len=len*6;
+ if((encoded_html_string=(char *)malloc(output_len+1))==NULL)
+ return "";
+
+ strcpy(encoded_html_string,"");
+
+ for(x=0,y=0;x<=len;x++){
+
+ /* end of string */
+ if((char)input[x]==(char)'\x0'){
+ encoded_html_string[y]='\x0';
+ break;
+ }
+
+ /* alpha-numeric characters don't get encoded */
+ else if(((char)input[x]>='0' && (char)input[x]<='9') || ((char)input[x]>='A' && (char)input[x]<='Z') || ((char)input[x]>=(char)'a' && (char)input[x]<=(char)'z'))
+ encoded_html_string[y++]=input[x];
+
+ /* spaces, hyphens, periods, underscores and colons don't get encoded */
+ else if(((char)input[x]==(char)' ') || ((char)input[x]==(char)'-') || ((char)input[x]==(char)'.') || ((char)input[x]==(char)'_') || ((char)input[x]==(char)':'))
+ encoded_html_string[y++]=input[x];
+
+ /* for simplicity, all other chars represented by their numeric value */
+ else{
+ encoded_html_string[y]='\x0';
+ sprintf(temp_expansion,"&#%d;",(unsigned char)input[x]);
+ if((int)strlen(encoded_html_string)<(output_len-strlen(temp_expansion))){
+ strcat(encoded_html_string,temp_expansion);
+ y+=strlen(temp_expansion);
+ }
+ }
+ }
+
+ encoded_html_string[y++]='\x0';
+
+ return encoded_html_string;
+ }
+
+
+
/* determines the log file we should use (from current time) */
void get_log_archive_to_use(int archive,char *buffer,int buffer_length){
struct tm *t;
Index: cgi/histogram.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/histogram.c,v
retrieving revision 1.27
diff -u -r1.27 histogram.c
--- cgi/histogram.c 19 May 2008 18:42:26 -0000 1.27
+++ cgi/histogram.c 5 Aug 2008 10:03:59 -0000
@@ -407,9 +407,9 @@
printf("<form method=\"GET\" action=\"%s\">\n",HISTOGRAM_CGI);
printf("<input type='hidden' name='t1' value='%lu'>\n",(unsigned long)t1);
printf("<input type='hidden' name='t2' value='%lu'>\n",(unsigned long)t2);
- printf("<input type='hidden' name='host' value='%s'>\n",url_encode(host_name));
+ printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
if(display_type==DISPLAY_SERVICE_HISTOGRAM)
- printf("<input type='hidden' name='service' value='%s'>\n",url_encode(svc_description));
+ printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
printf("<tr><td CLASS='optBoxItem' valign=top align=left>Report period:</td><td CLASS='optBoxItem' valign=top align=left>Assume state retention:</td></tr>\n");
@@ -746,7 +746,7 @@
printf("<TABLE BORDER=0 cellpadding=5>\n");
printf("<form method=\"GET\" action=\"%s\" name=\"serviceform\">\n",HISTOGRAM_CGI);
printf("<input type='hidden' name='input' value='getoptions'>\n");
- printf("<input type='hidden' name='host' value='%s'>\n",(first_service==NULL)?"unknown":first_service);
+ printf("<input type='hidden' name='host' value='%s'>\n",(first_service==NULL)?"unknown":escape_string(first_service));
printf("<tr><td class='reportSelectSubTitle'>Service:</td>\n");
printf("<td class='reportSelectItem'>\n");
@@ -789,9 +789,9 @@
printf("<TABLE BORDER=0 cellpadding=5>\n");
printf("<form method=\"GET\" action=\"%s\">\n",HISTOGRAM_CGI);
- printf("<input type='hidden' name='host' value='%s'>\n",url_encode(host_name));
+ printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
if(display_type==DISPLAY_SERVICE_HISTOGRAM)
- printf("<input type='hidden' name='service' value='%s'>\n",url_encode(svc_description));
+ printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
printf("<tr><td class='reportSelectSubTitle' align=right>Report Period:</td>\n");
printf("<td class='reportSelectItem'>\n");
Index: cgi/history.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/history.c,v
retrieving revision 1.31
diff -u -r1.31 history.c
--- cgi/history.c 23 Jun 2008 20:47:44 -0000 1.31
+++ cgi/history.c 5 Aug 2008 10:03:59 -0000
@@ -204,9 +204,9 @@
printf("<table border=0 CLASS='optBox'>\n");
printf("<form method=\"GET\" action=\"%s\">\n",HISTORY_CGI);
- printf("<input type='hidden' name='host' value='%s'>\n",(show_all_hosts==TRUE)?"all":url_encode(host_name));
+ printf("<input type='hidden' name='host' value='%s'>\n",(show_all_hosts==TRUE)?"all":escape_string(host_name));
if(display_type==DISPLAY_SERVICES)
- printf("<input type='hidden' name='service' value='%s'>\n",url_encode(svc_description));
+ printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
printf("<input type='hidden' name='archive' value='%d'>\n",log_archive);
printf("<tr>\n");
Index: cgi/notifications.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/notifications.c,v
retrieving revision 1.25
diff -u -r1.25 notifications.c
--- cgi/notifications.c 19 May 2008 18:42:27 -0000 1.25
+++ cgi/notifications.c 5 Aug 2008 10:03:59 -0000
@@ -212,11 +212,11 @@
printf("<table border=0 CLASS='optBox'>\n");
printf("<form method='GET' action='%s'>\n",NOTIFICATIONS_CGI);
if(query_type==FIND_SERVICE){
- printf("<input type='hidden' name='host' value='%s'>\n",url_encode(query_host_name));
- printf("<input type='hidden' name='service' value='%s'>\n",url_encode(query_svc_description));
+ printf("<input type='hidden' name='host' value='%s'>\n",escape_string(query_host_name));
+ printf("<input type='hidden' name='service' value='%s'>\n",escape_string(query_svc_description));
}
else
- printf("<input type='hidden' name='%s' value='%s'>\n",(query_type==FIND_HOST)?"host":"contact",url_encode((query_type==FIND_HOST)?query_host_name:query_contact_name));
+ printf("<input type='hidden' name='%s' value='%s'>\n",(query_type==FIND_HOST)?"host":"contact",(query_type==FIND_HOST)?escape_string(query_host_name):escape_string(query_contact_name));
printf("<input type='hidden' name='archive' value='%d'>\n",log_archive);
printf("<tr>\n");
if(query_type==FIND_SERVICE)
Index: cgi/statusmap.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/statusmap.c,v
retrieving revision 1.40
diff -u -r1.40 statusmap.c
--- cgi/statusmap.c 19 May 2008 18:42:28 -0000 1.40
+++ cgi/statusmap.c 5 Aug 2008 10:04:02 -0000
@@ -700,8 +700,8 @@
printf("<form method=\"POST\" action=\"%s\">\n",STATUSMAP_CGI);
printf("<table border=0 CLASS='optBox'>\n");
printf("<tr><td valign=top>\n");
- printf("<input type='hidden' name='host' value='%s'>\n",url_encode(host_name));
- printf("<input type='hidden' name='layout' value='%d'>\n",layout_method);
+ printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
+ printf("<input type='hidden' name='layout' value='%d'>\n",escape_string(layout_method));
printf("</td><td valign=top>\n");
@@ -2390,7 +2390,7 @@
if(get_method==TRUE)
printf("&layer=%s",temp_layer->layer_name);
else
- printf("<input type='hidden' name='layer' value='%s'>\n",temp_layer->layer_name);
+ printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name));
}
if(get_method==TRUE)
Index: cgi/trends.c
===================================================================
RCS file: /cvsroot/nagios/nagios/cgi/trends.c,v
retrieving revision 1.41
diff -u -r1.41 trends.c
--- cgi/trends.c 23 Jun 2008 20:47:46 -0000 1.41
+++ cgi/trends.c 5 Aug 2008 10:04:03 -0000
@@ -454,9 +454,9 @@
printf("<input type='hidden' name='nomap' value=''>\n");
printf("<input type='hidden' name='t1' value='%lu'>\n",(unsigned long)t1);
printf("<input type='hidden' name='t2' value='%lu'>\n",(unsigned long)t2);
- printf("<input type='hidden' name='host' value='%s'>\n",url_encode(host_name));
+ printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
if(display_type==DISPLAY_SERVICE_TRENDS)
- printf("<input type='hidden' name='service' value='%s'>\n",url_encode(svc_description));
+ printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
printf("<input type='hidden' name='assumeinitialstates' value='%s'>\n",(assume_initial_states==TRUE)?"yes":"no");
printf("<input type='hidden' name='assumestateretention' value='%s'>\n",(assume_state_retention==TRUE)?"yes":"no");
@@ -858,7 +858,7 @@
printf("<TABLE BORDER=0 cellpadding=5>\n");
printf("<form method=\"GET\" action=\"%s\" name=\"serviceform\">\n",TRENDS_CGI);
printf("<input type='hidden' name='input' value='getoptions'>\n");
- printf("<input type='hidden' name='host' value='%s'>\n",(first_service==NULL)?"unknown":first_service);
+ printf("<input type='hidden' name='host' value='%s'>\n",(first_service==NULL)?"unknown":escape_string(first_service));
printf("<tr><td class='reportSelectSubTitle'>Service:</td>\n");
printf("<td class='reportSelectItem'>\n");
@@ -901,9 +901,9 @@
printf("<TABLE BORDER=0 CELLPADDING=5>\n");
printf("<form method=\"GET\" action=\"%s\">\n",TRENDS_CGI);
- printf("<input type='hidden' name='host' value='%s'>\n",host_name);
+ printf("<input type='hidden' name='host' value='%s'>\n",escape_string(host_name));
if(display_type==DISPLAY_SERVICE_TRENDS)
- printf("<input type='hidden' name='service' value='%s'>\n",svc_description);
+ printf("<input type='hidden' name='service' value='%s'>\n",escape_string(svc_description));
printf("<tr><td class='reportSelectSubTitle' align=right>Report period:</td>\n");
printf("<td class='reportSelectItem'>\n");
Index: include/cgiutils.h.in
===================================================================
RCS file: /cvsroot/nagios/nagios/include/cgiutils.h.in,v
retrieving revision 1.27
diff -u -r1.27 cgiutils.h.in
--- include/cgiutils.h.in 10 Nov 2007 23:34:26 -0000 1.27
+++ include/cgiutils.h.in 5 Aug 2008 10:04:04 -0000
@@ -484,6 +484,7 @@
char * url_encode(char *); /* encodes a string in proper URL format */
char * html_encode(char *,int); /* encodes a string in HTML format (for what the user sees) */
+char * escape_string(char *); /* escape string for html form usage */
void get_time_breakdown(unsigned long,int *,int *,int *,int *); /* given total seconds, get days, hours, minutes, seconds */
-------------- next part --------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel
More information about the Developers
mailing list