[Pkg-nagios-devel] How to handle plugins with HTML output
Marc Haber
mh+pkg-nagios-devel at zugschlus.de
Thu May 22 12:21:50 UTC 2008
sean's original message seems to have been eaten by Mailman, a bounce
that I tried an hour ago didn't work wither, so I'll quote it into the
archive.
On Sun, May 04, 2008 at 12:37:05PM +0200, sean finney wrote:
> From: sean finney <seanius at debian.org>
> Subject: Re: [Pkg-nagios-devel] How to handle plugins with HTML output
> To: pkg-nagios-devel at lists.alioth.debian.org
> Cc: Marc Haber <mh+pkg-nagios-devel at zugschlus.de>
> Date: Sun, 4 May 2008 12:37:05 +0200
>
> hi marc,
>
> On Sunday 04 May 2008 09:22:46 am Marc Haber wrote:
> > Hi,
> >
> > I would like to solicit your opinion about #474967, where the bug
> > submitter complains that Nagios no longer passes HTML output of a
> > plugin verbatim to the web interface.
> >
> > I am inclined to tag this bug "wontfix", as allowing HTML output to be
> > handed through from a plugin to the web interface might expose the web
> > interface to XSS and/or other attacks.
>
> yes, in fact see #416814, where the opposite bug was filed against nagios (for
> versions << 2.11 when the sanitization started).
>
> > But alas, I don't know enough about web attacks to be an appropriate
> > judge for this.
>
> there isn't really an easy and safe way to allow it. i suppose a feature
> request upstream could be sent to let the local admin disable the escaping
> for "trusted" sites, or to somehow cram it through libtidy, or perhaps just
> notice urls in the escaped output and arbitrarily rewrite them as links.
>
> but if there has to be a hard-coded behaviour i think the new behaviour is the
> safer of the two.
>
>
>
> sean
More information about the Pkg-nagios-devel
mailing list