several reports will not allow submitting parameters

Bug #322952 reported by Eli Morris-Heft on 2009-01-29
4
Affects Status Importance Assigned to Milestone
nagios3 (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: nagios3

Ubuntu Release: 8.10 (Intrepid Ibex)
Package Version: 3.0.2-1ubuntu1.1

This occurs on certain reports, namely Trends, Notifications, History, and Histogram.
To reproduce:
1. Select a host or service with a character that requires URL-encoding (like a space).
2. Select one of the affected reports (i.e. 'View Trends for the Service')
3. Click "Update". (Whether or not the parameters actually change is irrelevant.)
4. Nagios will report that you do not have the correct permissions to view that report.

The reason Nagios reports this is because the service name or host name is being double url-encoded. For example, 'Check Load' becomes 'Check+Load' which turns into 'Check%2BLoad' on submit. Nagios doesn't have a service called 'Check+Load', only one called 'Check Load', so it fails.

Here's a diff for the changes necessary. I apologize if this isn't in the preferred format; I couldn't find clear documentation detailing how patches like this should be submitted.

Thierry Carrez (ttx) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

The url_encode calls were added in 3.0.2 to fix XSS security issues, however the implementation was buggy, as you saw.

It was later fixed in 3.0.4 by using a new "escape_string" function. We need to pull that one (from cgi/cgiutils.c) to properly fix this bug, together with all the CGIs modified to take advantage of it.

I am closing this bug because it has been fixed in the latest development version of Ubuntu - the Jaunty Jackalope.

If you need a fix for the bug for 8.10, please do steps 1 and 2 of the SRU Procedure [1] to bring the need to a developer's attention.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

Changed in nagios3:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers