From 51599d930477132a863eb547e0ab9b7170dc48f1 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Wed, 9 Apr 2008 16:34:01 +0200 Subject: [PATCH] CVE-2007-5803 Signed-off-by: Ludwig Nussel Conflicts: cgi/cmd.c --- cgi/avail.c | 8 ++-- cgi/cgiutils.c | 24 +++++++------ cgi/cmd.c | 16 +++++----- cgi/histogram.c | 8 ++-- cgi/history.c | 4 +- cgi/notifications.c | 6 ++-- cgi/status.c | 88 +++++++++++++++++++++++++------------------------- cgi/statusmap.c | 2 +- cgi/statuswml.c | 40 +++++++++++----------- cgi/trends.c | 8 ++-- 10 files changed, 103 insertions(+), 101 deletions(-) diff --git a/cgi/avail.c b/cgi/avail.c index 6479b29..7f5c88a 100644 --- a/cgi/avail.c +++ b/cgi/avail.c @@ -511,11 +511,11 @@ int main(int argc, char **argv){ if(display_type==DISPLAY_HOSTGROUP_AVAIL) printf("\n",hostgroup_name); if(display_type==DISPLAY_HOST_AVAIL || display_type==DISPLAY_SERVICE_AVAIL) - printf("\n",host_name); + printf("\n",url_encode(host_name)); if(display_type==DISPLAY_SERVICE_AVAIL) printf("\n",svc_description); if(display_type==DISPLAY_SERVICEGROUP_AVAIL) - printf("\n",servicegroup_name); + printf("\n",url_encode(servicegroup_name)); printf("\n",(assume_initial_states==TRUE)?"yes":"no"); printf("\n",(assume_state_retention==TRUE)?"yes":"no"); @@ -646,11 +646,11 @@ int main(int argc, char **argv){ if(display_type==DISPLAY_HOSTGROUP_AVAIL) printf("\n",hostgroup_name); if(display_type==DISPLAY_HOST_AVAIL || display_type==DISPLAY_SERVICE_AVAIL) - printf("\n",host_name); + printf("\n",url_encode(host_name)); if(display_type==DISPLAY_SERVICE_AVAIL) printf("\n",svc_description); if(display_type==DISPLAY_SERVICEGROUP_AVAIL) - printf("\n",servicegroup_name); + printf("\n",url_encode(servicegroup_name)); printf("\n"); diff --git a/cgi/cgiutils.c b/cgi/cgiutils.c index f09eef0..48b3128 100644 --- a/cgi/cgiutils.c +++ b/cgi/cgiutils.c @@ -128,7 +128,7 @@ lifo *lifo_list=NULL; char *my_strtok_buffer=NULL; char *original_my_strtok_buffer=NULL; -char encoded_url_string[MAX_INPUT_BUFFER]; +char encoded_url_string[2][MAX_INPUT_BUFFER]; // 2 to be able use url_encode twice char encoded_html_string[MAX_INPUT_BUFFER]; #ifdef HAVE_TZNAME @@ -1297,46 +1297,48 @@ char * url_encode(char *input){ int len,output_len; int x,y; char temp_expansion[4]; + static int i = 0; + char* str = encoded_url_string[i]; len=(int)strlen(input); - output_len=(int)sizeof(encoded_url_string); + output_len=(int)sizeof(encoded_url_string[0]); - encoded_url_string[0]='\x0'; + str[0]='\x0'; for(x=0,y=0;x<=len && y='0' && (char)input[x]<='9') || ((char)input[x]>='A' && (char)input[x]<='Z') || ((char)input[x]>=(char)'a' && (char)input[x]<=(char)'z') || (char)input[x]==(char)'.' || (char)input[x]==(char)'-' || (char)input[x]==(char)'_'){ - encoded_url_string[y]=input[x]; + str[y]=input[x]; y++; } /* spaces are pluses */ else if((char)input[x]<=(char)' '){ - encoded_url_string[y]='+'; + str[y]='+'; y++; } /* anything else gets represented by its hex value */ else{ - encoded_url_string[y]='\x0'; - if((int)strlen(encoded_url_string)<(output_len-3)){ + str[y]='\x0'; + if((int)strlen(str)<(output_len-3)){ sprintf(temp_expansion,"%%%02X",(unsigned int)input[x]); - strcat(encoded_url_string,temp_expansion); + strcat(str,temp_expansion); y+=3; } } } - encoded_url_string[sizeof(encoded_url_string)-1]='\x0'; + str[sizeof(encoded_url_string[0])-1]='\x0'; - return &encoded_url_string[0]; + return str; } diff --git a/cgi/cmd.c b/cgi/cmd.c index a9cd485..15d7736 100644 --- a/cgi/cmd.c +++ b/cgi/cmd.c @@ -949,10 +949,10 @@ void request_command_data(int cmd){ printf(""); printf("\n"); printf("\n"); printf("\n"); break; @@ -975,10 +975,10 @@ void request_command_data(int cmd){ printf(""); printf("\n"); printf("\n"); printf("\n"); break; @@ -1158,10 +1158,10 @@ void request_command_data(int cmd){ printf("",service_desc); } printf("\n"); printf("\n"); printf("\n"); @@ -1290,10 +1290,10 @@ void request_command_data(int cmd){ printf("\n"); } printf("\n"); printf("\n"); time(&t); get_time_string(&t,buffer,sizeof(buffer)-1,SHORT_DATE_TIME); diff --git a/cgi/histogram.c b/cgi/histogram.c index 719f4d6..f0f5865 100644 --- a/cgi/histogram.c +++ b/cgi/histogram.c @@ -406,9 +406,9 @@ int main(int argc, char **argv){ printf("\n",HISTOGRAM_CGI); printf("\n",(unsigned long)t1); printf("\n",(unsigned long)t2); - printf("\n",host_name); + printf("\n",url_encode(host_name)); if(display_type==DISPLAY_SERVICE_HISTOGRAM) - printf("\n",svc_description); + printf("\n",url_encode(svc_description)); printf("\n"); @@ -788,9 +788,9 @@ int main(int argc, char **argv){ printf("
Author (Your Name):"); - printf("",comment_author); + printf("",url_encode(comment_author)); printf("
Comment:"); - printf("",comment_data); + printf("",url_encode(comment_data)); printf("
Author (Your Name):"); - printf("",comment_author); + printf("",url_encode(comment_author)); printf("
Comment:"); - printf("",comment_data); + printf("",url_encode(comment_data)); printf("
Author (Your Name):"); - printf("",comment_author); + printf("",url_encode(comment_author)); printf("
Comment:"); - printf("",comment_data); + printf("",url_encode(comment_data)); printf("

Author (Your Name):"); - printf("",comment_author); + printf("",url_encode(comment_author)); printf("
Comment:"); - printf("",comment_data); + printf("",url_encode(comment_data)); printf("
Report period:Assume state retention:
\n"); printf("\n",HISTOGRAM_CGI); - printf("\n",host_name); + printf("\n",url_encode(host_name)); if(display_type==DISPLAY_SERVICE_HISTOGRAM) - printf("\n",svc_description); + printf("\n",url_encode(svc_description)); printf("\n"); printf("
Report Period:\n"); diff --git a/cgi/history.c b/cgi/history.c index 4fc8f1a..6b1ad51 100644 --- a/cgi/history.c +++ b/cgi/history.c @@ -201,9 +201,9 @@ int main(void){ printf("\n"); printf("\n",HISTORY_CGI); - printf("\n",(show_all_hosts==TRUE)?"all":host_name); + printf("\n",(show_all_hosts==TRUE)?"all":url_encode(host_name)); if(display_type==DISPLAY_SERVICES) - printf("\n",svc_description); + printf("\n",url_encode(svc_description)); printf("\n",log_archive); printf("\n"); diff --git a/cgi/notifications.c b/cgi/notifications.c index 6a0761a..b5ff341 100644 --- a/cgi/notifications.c +++ b/cgi/notifications.c @@ -212,11 +212,11 @@ int main(void){ printf("
\n"); printf("\n",NOTIFICATIONS_CGI); if(query_type==FIND_SERVICE){ - printf("\n",query_host_name); - printf("\n",query_svc_description); + printf("\n",url_encode(query_host_name)); + printf("\n",url_encode(query_svc_description)); } else - printf("\n",(query_type==FIND_HOST)?"host":"contact",(query_type==FIND_HOST)?query_host_name:query_contact_name); + printf("\n",(query_type==FIND_HOST)?"host":"contact",url_encode((query_type==FIND_HOST)?query_host_name:query_contact_name)); printf("\n",log_archive); printf("\n"); if(query_type==FIND_SERVICE) diff --git a/cgi/status.c b/cgi/status.c index 737cb21..e412def 100644 --- a/cgi/status.c +++ b/cgi/status.c @@ -821,11 +821,11 @@ void show_service_status_totals(void){ printf("\n"); @@ -833,11 +833,11 @@ void show_service_status_totals(void){ printf("\n"); @@ -845,11 +845,11 @@ void show_service_status_totals(void){ printf("\n"); @@ -857,11 +857,11 @@ void show_service_status_totals(void){ printf("\n"); @@ -869,11 +869,11 @@ void show_service_status_totals(void){ printf("\n"); @@ -910,11 +910,11 @@ void show_service_status_totals(void){ printf("\n"); @@ -922,11 +922,11 @@ void show_service_status_totals(void){ printf("\n"); @@ -1035,11 +1035,11 @@ void show_host_status_totals(void){ printf("
"); printf("",host_status_types); printf("Ok"); printf("",host_status_types); printf("Warning"); printf("",host_status_types); printf("Unknown"); printf("",host_status_types); printf("Critical"); printf("",host_status_types); printf("Pending"); printf("",host_status_types); printf("All Problems"); printf("",host_status_types); printf("All Types"); printf(""); printf(""); printf(""); printf(""); printf(""); printf("\n"); printf("
\n"); printf("\n",STATUSMAP_CGI); - printf("\n",host_name); + printf("\n",url_encode(host_name)); printf("\n",layout_method); printf("\n"); diff --git a/cgi/statuswml.c b/cgi/statuswml.c index 8ef099f..0e40894 100644 --- a/cgi/statuswml.c +++ b/cgi/statuswml.c @@ -621,7 +621,7 @@ void display_hostgroup_overview(void){ printf("\n"); printf("

\n"); - printf("Status Overview

\n",STATUSWML_CGI,hostgroup_name); + printf("Status Overview

\n",STATUSWML_CGI,url_encode(hostgroup_name)); /* check all hostgroups */ for(temp_hostgroup=hostgroup_list;temp_hostgroup!=NULL;temp_hostgroup=temp_hostgroup->next){ @@ -704,7 +704,7 @@ void display_hostgroup_summary(void){ printf("\n"); printf("

\n"); - printf("Status Summary

\n",STATUSWML_CGI,hostgroup_name); + printf("Status Summary

\n",STATUSWML_CGI,url_encode(hostgroup_name)); /* check all hostgroups */ for(temp_hostgroup=hostgroup_list;temp_hostgroup!=NULL;temp_hostgroup=temp_hostgroup->next){ @@ -926,7 +926,7 @@ void display_host(void){ printf("

\n"); printf("
\n"); - printf("View Services\n",STATUSWML_CGI,host_name); + printf("View Services\n",STATUSWML_CGI,url_encode(host_name)); printf("Host Commands\n"); printf("

\n"); @@ -945,23 +945,23 @@ void display_host(void){ printf("Acknowledge Problem\n"); if(temp_hoststatus->checks_enabled==FALSE) - printf("Enable Host Checks
\n",COMMAND_CGI,host_name,CMD_ENABLE_HOST_CHECK,CMDMODE_COMMIT); + printf("Enable Host Checks
\n",COMMAND_CGI,url_encode(host_name),CMD_ENABLE_HOST_CHECK,CMDMODE_COMMIT); else - printf("Disable Host Checks
\n",COMMAND_CGI,host_name,CMD_DISABLE_HOST_CHECK,CMDMODE_COMMIT); + printf("Disable Host Checks
\n",COMMAND_CGI,url_encode(host_name),CMD_DISABLE_HOST_CHECK,CMDMODE_COMMIT); if(temp_hoststatus->notifications_enabled==FALSE) - printf("Enable Host Notifications
\n",COMMAND_CGI,host_name,CMD_ENABLE_HOST_NOTIFICATIONS,CMDMODE_COMMIT); + printf("Enable Host Notifications
\n",COMMAND_CGI,url_encode(host_name),CMD_ENABLE_HOST_NOTIFICATIONS,CMDMODE_COMMIT); else - printf("Disable Host Notifications
\n",COMMAND_CGI,host_name,CMD_DISABLE_HOST_NOTIFICATIONS,CMDMODE_COMMIT); + printf("Disable Host Notifications
\n",COMMAND_CGI,url_encode(host_name),CMD_DISABLE_HOST_NOTIFICATIONS,CMDMODE_COMMIT); - printf("Enable All Service Checks
\n",COMMAND_CGI,host_name,CMD_ENABLE_HOST_SVC_CHECKS,CMDMODE_COMMIT); + printf("Enable All Service Checks
\n",COMMAND_CGI,url_encode(host_name),CMD_ENABLE_HOST_SVC_CHECKS,CMDMODE_COMMIT); - printf("Disable All Service Checks
\n",COMMAND_CGI,host_name,CMD_DISABLE_HOST_SVC_CHECKS,CMDMODE_COMMIT); + printf("Disable All Service Checks
\n",COMMAND_CGI,url_encode(host_name),CMD_DISABLE_HOST_SVC_CHECKS,CMDMODE_COMMIT); - printf("Enable All Service Notifications
\n",COMMAND_CGI,host_name,CMD_ENABLE_HOST_SVC_NOTIFICATIONS,CMDMODE_COMMIT); + printf("Enable All Service Notifications
\n",COMMAND_CGI,url_encode(host_name),CMD_ENABLE_HOST_SVC_NOTIFICATIONS,CMDMODE_COMMIT); - printf("Disable All Service Notifications
\n",COMMAND_CGI,host_name,CMD_DISABLE_HOST_SVC_NOTIFICATIONS,CMDMODE_COMMIT); + printf("Disable All Service Notifications
\n",COMMAND_CGI,url_encode(host_name),CMD_DISABLE_HOST_SVC_NOTIFICATIONS,CMDMODE_COMMIT); printf("

\n"); @@ -981,7 +981,7 @@ void display_host(void){ printf("\n"); printf("\n"); - printf("\n",COMMAND_CGI,host_name,CMD_ACKNOWLEDGE_HOST_PROBLEM,CMDMODE_COMMIT); + printf("\n",COMMAND_CGI,url_encode(host_name),CMD_ACKNOWLEDGE_HOST_PROBLEM,CMDMODE_COMMIT); printf("\n"); printf("

\n"); @@ -1001,7 +1001,7 @@ void display_host_services(void){ /**** MAIN SCREEN (CARD 1) ****/ printf("\n"); printf("

\n"); - printf("Host '%s' Services
\n",host_name,host_name,STATUSWML_CGI,host_name); + printf("Host '%s' Services
\n",url_encode(host_name),host_name,STATUSWML_CGI,url_encode(host_name)); printf("\n"); @@ -1142,7 +1142,7 @@ void display_service(void){ printf("
\n"); printf("
\n"); - printf("View Host\n",STATUSWML_CGI,host_name); + printf("View Host\n",STATUSWML_CGI,url_encode(host_name)); printf("Svc. Commands\n"); printf("

\n"); @@ -1158,16 +1158,16 @@ void display_service(void){ printf("Acknowledge Problem\n"); if(temp_servicestatus->checks_enabled==FALSE) - printf("Enable Checks
\n",COMMAND_CGI,host_name,service_desc,CMD_ENABLE_SVC_CHECK,CMDMODE_COMMIT); + printf("Enable Checks
\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),CMD_ENABLE_SVC_CHECK,CMDMODE_COMMIT); else{ - printf("Disable Checks
\n",COMMAND_CGI,host_name,service_desc,CMD_DISABLE_SVC_CHECK,CMDMODE_COMMIT); - printf("Schedule Immediate Check
\n",COMMAND_CGI,host_name,service_desc,(unsigned long)current_time,CMD_SCHEDULE_SVC_CHECK,CMDMODE_COMMIT); + printf("Disable Checks
\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),CMD_DISABLE_SVC_CHECK,CMDMODE_COMMIT); + printf("Schedule Immediate Check
\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),(unsigned long)current_time,CMD_SCHEDULE_SVC_CHECK,CMDMODE_COMMIT); } if(temp_servicestatus->notifications_enabled==FALSE) - printf("Enable Notifications
\n",COMMAND_CGI,host_name,service_desc,CMD_ENABLE_SVC_NOTIFICATIONS,CMDMODE_COMMIT); + printf("Enable Notifications
\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),CMD_ENABLE_SVC_NOTIFICATIONS,CMDMODE_COMMIT); else - printf("Disable Notifications
\n",COMMAND_CGI,host_name,service_desc,CMD_DISABLE_SVC_NOTIFICATIONS,CMDMODE_COMMIT); + printf("Disable Notifications
\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),CMD_DISABLE_SVC_NOTIFICATIONS,CMDMODE_COMMIT); printf("

\n"); @@ -1187,7 +1187,7 @@ void display_service(void){ printf("\n"); printf("\n"); - printf("\n",COMMAND_CGI,host_name,service_desc,CMD_ACKNOWLEDGE_SVC_PROBLEM,CMDMODE_COMMIT); + printf("\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),CMD_ACKNOWLEDGE_SVC_PROBLEM,CMDMODE_COMMIT); printf("\n"); printf("

\n"); diff --git a/cgi/trends.c b/cgi/trends.c index 3998fe7..f58778c 100644 --- a/cgi/trends.c +++ b/cgi/trends.c @@ -451,9 +451,9 @@ int main(int argc, char **argv){ printf("\n"); printf("\n",(unsigned long)t1); printf("\n",(unsigned long)t2); - printf("\n",host_name); + printf("\n",url_encode(host_name)); if(display_type==DISPLAY_SERVICE_TRENDS) - printf("\n",svc_description); + printf("\n",url_encode(svc_description)); printf("\n",(assume_initial_states==TRUE)?"yes":"no"); printf("\n",(assume_state_retention==TRUE)?"yes":"no"); @@ -897,9 +897,9 @@ int main(int argc, char **argv){ printf("\n"); printf("\n",TRENDS_CGI); - printf("\n",host_name); + printf("\n",url_encode(host_name)); if(display_type==DISPLAY_SERVICE_TRENDS) - printf("\n",svc_description); + printf("\n",url_encode(svc_description)); printf("\n"); printf("
Report period:\n"); -- 1.5.3.4