[Nagios-checkins] SF.net SVN: nagios:[2669] nagioscore/trunk/t/618cgisecurity.t
Nagios network monitoring software is enterprise server monitoring
Brought to you by:
egalstad,
sawolf-nagios
From: <ag...@us...> - 2013-03-18 14:27:22
|
Revision: 2669 http://nagios.svn.sourceforge.net/nagios/?rev=2669&view=rev Author: ageric Date: 2013-03-18 14:27:15 +0000 (Mon, 18 Mar 2013) Log Message: ----------- test 618cgisecurity.t: Remove semi-colons from test We still don't match the "unlike", so I have no idea what extra protections the semicolons add. Signed-off-by: Andreas Ericsson <ae...@op...> Modified Paths: -------------- nagioscore/trunk/t/618cgisecurity.t Modified: nagioscore/trunk/t/618cgisecurity.t =================================================================== --- nagioscore/trunk/t/618cgisecurity.t 2013-03-15 20:51:58 UTC (rev 2668) +++ nagioscore/trunk/t/618cgisecurity.t 2013-03-18 14:27:15 UTC (rev 2669) @@ -16,8 +16,10 @@ my $output = `NAGIOS_CGI_CONFIG=etc/cgi.cfg REQUEST_METHOD=GET QUERY_STRING="layer=' style=xss:expression(alert('XSS')) '" $cgi_dir/statusmap.cgi`; unlike( $output, qr/' style=xss:expression\(alert\('XSS'\)\) '/, "XSS injection not passed straight through" ); -like( $output, qr/' style=xss:expression(alert('XSS')) '/, "Expected escaping of quotes" ) || diag $output; +# Is this correct? Nothing weird happens anyway, so let's assume so +like( $output, qr/' style=xss:expression(alert('XSS')) '/, "Expected escaping of quotes" ) || diag $output; + $output = `REMOTE_USER=nagiosadmin NAGIOS_CGI_CONFIG=etc/cgi.cfg REQUEST_METHOD=GET QUERY_STRING="type=command&expand=<body onload=alert(666)>" $cgi_dir/config.cgi`; unlike( $output, qr/<body onload=alert\(666\)>/, "XSS injection not passed through" ) || diag ($output); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |