[Pkg-nagios-devel] How to handle plugins with HTML output

Marc Haber mh+pkg-nagios-devel at zugschlus.de
Thu May 22 12:21:50 UTC 2008


sean's original message seems to have been eaten by Mailman, a bounce
that I tried an hour ago didn't work wither, so I'll quote it into the
archive.

On Sun, May 04, 2008 at 12:37:05PM +0200, sean finney wrote:
> From: sean finney <seanius at debian.org>
> Subject: Re: [Pkg-nagios-devel] How to handle plugins with HTML output
> To: pkg-nagios-devel at lists.alioth.debian.org
> Cc: Marc Haber <mh+pkg-nagios-devel at zugschlus.de>
> Date: Sun, 4 May 2008 12:37:05 +0200
> 
> hi marc,
> 
> On Sunday 04 May 2008 09:22:46 am Marc Haber wrote:
> > Hi,
> >
> > I would like to solicit your opinion about #474967, where the bug
> > submitter complains that Nagios no longer passes HTML output of a
> > plugin verbatim to the web interface.
> >
> > I am inclined to tag this bug "wontfix", as allowing HTML output to be
> > handed through from a plugin to the web interface might expose the web
> > interface to XSS and/or other attacks.
> 
> yes, in fact see #416814, where the opposite bug was filed against nagios (for 
> versions << 2.11 when the sanitization started).
> 
> > But alas, I don't know enough about web attacks to be an appropriate
> > judge for this.
> 
> there isn't really an easy and safe way to allow it.  i suppose a feature 
> request upstream could be sent to let the local admin disable the escaping 
> for "trusted" sites, or to somehow cram it through libtidy, or perhaps just 
> notice urls in the escaped output and arbitrarily rewrite them as links.
> 
> but if there has to be a hard-coded behaviour i think the new behaviour is the 
> safer of the two.
> 
> 
> 
> 	sean



More information about the Pkg-nagios-devel mailing list