Bug#284897: [Pkg-nagios-devel] Bug#284897: nagios-pgsql: nagios eats single quotes in problem acknowledgement email messages

alet@unice.fr, 284897@bugs.debian.org alet@unice.fr, 284897@bugs.debian.org
Thu, 16 Dec 2004 10:27:30 +0100


--+nBD6E3TurpgldQp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

On Thu, Dec 16, 2004 at 01:54:53AM -0500, sean finney wrote:
>=20
> take a look at what i found:
>=20
> /etc/nagios/nagios.cfg:illegal_macro_output_chars=3D`~$&|'"<>
>=20
> also, in the nagios source, it strips out any ascii characters greater
> than decimal 166:
>=20
>                         /* illegal ASCII characters */
>                         if(ch<32 || ch=3D=3D127)
>                                 continue;

ok

>                         /* illegal extended ASCII characters */
>                         if(ch>=3D166)
>                                 continue;

this one sucks big time for non-english people !

what about using unicode strings ?

>                         /* illegal user-specified characters */
>                         illegal_char=3DFALSE;
>                         if(illegal_output_chars!=3DNULL){
>                                 for(z=3D0;illegal_output_chars[z]!=3D'\x0=
';z++){
>                                         if(ch=3D=3D(int)illegal_output_ch=
ars[z]){
>                                                 illegal_char=3DTRUE;
>                                                 break;
>                                                 }
>                                         }
>                                 }
>=20
> so this is in fact by design.  can you verify that changing
> the mentioned variable gets it to stop eating those special chars?

yes, now I've got the simple quote

but of course some accented letters still don't work
=20
> if this does solve the initial problem i'll lower the severity of
> this to "wishlist" and forward a request upstream to the nagios folks
> asking to provide a way to allow the high ascii chars.

yes.

the problem is that the string is NOT the result of a command,
but a comment typed in by the particular nagios admin for the=20
service problem being acknowledged.

while I understand the security problem which may occur, I think
that access to nagios should be reserved to trusted people anyway,
so allowing them to type "unsafe" characters in their own
native language would be a great bonus...

also, for the single quote, it is also used in english, so it's
difficult to understand why it's stripped out of comments when
sending the notifications.

bye, and thanks for your time

Jerome Alet

--+nBD6E3TurpgldQp
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBwVUCyl5Sl04/FQQRAuGFAJ0Y5dp13ROYvnm/WB8DkzmgciMqZgCeOpmL
kmiwIfHEi/M0s2zDbgy6u9M=
=mvnI
-----END PGP SIGNATURE-----

--+nBD6E3TurpgldQp--