[Pkg-nagios-devel] How to handle plugins with HTML output

sean finney seanius at debian.org
Thu May 22 12:48:58 UTC 2008


hi marc,

On Sunday 04 May 2008 09:22:46 am Marc Haber wrote:
> Hi,
>
> I would like to solicit your opinion about #474967, where the bug
> submitter complains that Nagios no longer passes HTML output of a
> plugin verbatim to the web interface.
>
> I am inclined to tag this bug "wontfix", as allowing HTML output to be
> handed through from a plugin to the web interface might expose the web
> interface to XSS and/or other attacks.

yes, in fact see #416814, where the opposite bug was filed against nagios (for 
versions << 2.11 when the sanitization started).

> But alas, I don't know enough about web attacks to be an appropriate
> judge for this.

there isn't really an easy and safe way to allow it.  i suppose a feature 
request upstream could be sent to let the local admin disable the escaping 
for "trusted" sites, or to somehow cram it through libtidy, or perhaps just 
notice urls in the escaped output and arbitrarily rewrite them as links.

but if there has to be a hard-coded behaviour i think the new behaviour is the 
safer of the two.



	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20080522/a8a7032b/attachment.pgp 


More information about the Pkg-nagios-devel mailing list