Issue with some characters on command parameters
Brought to you by:
wizonet
Menu
▾
▴
Hi,
I found one issue in NagiosQL 3.4.0
I´am using check_snmp plugin with argument which includes char '
for ex.
-o .1.3.6.1.4.1.318.1.1.1.4.1.1.0 -w 2 -c 8 -l 'Source of Output'
when I save the record and open it again, there are the chars replaced by ASCI code but Nagios can´t work with this and all command ends with error. I think this is a problem related to last version. The same problem is with char "
-o .1.3.6.1.4.1.318.1.1.1.4.1.1.0 -w 2 -c 8 -l & #39;Source of Output& #39;
Could you please help me how I can use the syntax with char ' or " ?
Thanks
Last edit: Petr M. 2018-09-21
Currently i can't reproduce this behavior.
When I save 'Source of Output' to an $ARG1$ field in service configuration, store and open this configuration again, there is still 'Source of Output' in this field.
The same with "command line" in "Command definition".
Also the double quote works like expected. Are you sure you work with the latest version of 3.4.0?
The argument and text fields normally uses the FILTER Flag FILTER_FLAG_NO_ENCODE_QUOTES which should prevent the rewriting of the quotation marks.
Hi Martin,
thanks for the answer. Yes, I´m on 3.4.0. I´m using the characters " and ' in $ARG2$ and $ARG3$ but I don´t think there is a difference between $ARG1$ and $ARG2$.
Every time I save the record, the chars are replaced.
Could I provide you any information which can help you to find the issue?
The MariaDB database is coded with utf8_unicode_ci. Server running on latest version of Debian with latest stable packages. DB version is 10.1.26-MariaDB-0+deb9u1 - Debian 9.1.
Thanks for your help. Petr
Can you download NagiosQL 3.4.0 from here again and replace your local code? There have been some hotfixes since release date. If you downloaded 3.4.0 a long time ago, it may not be the latest version including all fixes.
Hi Martin,
it´s a good point. I have downloaded and installed oldes 3.4.0 version. I replaced file from current version on this website and everything seems OK.
Thank you for your help.
Petr
Hi Martin,
I found another one similar issue with characters in latest downloaded 3.4.0.
I have configured the check with command:
path=C:\Scripts\SMS "max-depth=2" "filter=filename='temp.dat'" "critical=count<1"
but in saved config there is only:
path=C:\Scripts\SMS "max-depth=2" "filter=filename='temp.dat'" "critical=count
Whats wrong please? It seems that there is some problem with char < or >
Thanks, Petr
This is because form input is changed to filter HTML tags and other characters to prevent cross-site scripting and SQL injections.
< and > denote HTML tags and are therefore filtered by the function FILTER_SANITIZE_STRING.
You are free to change these filters on your own responsibility. The file is this:
/functions/prepend_content.php
(https://gitlab.com/wizonet/nagiosql/blob/3.4.0/functions/prepend_content.php)
For the argument fields e.g.
$$tmpVar = filter_input(INPUT_POST, 'tfArg'.$i, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
change to
$$tmpVar = filter_input(INPUT_POST, 'tfArg'.$i, FILTER_UNSAFE_RAW);
However, for security reasons, I do not want to do this in the distribution, as this makes the code vulnerable to attackers or requires complex additional safeguards that are difficult to implement and test.