diff -u xymon-4.3.0~beta2.dfsg/debian/control xymon-4.3.0~beta2.dfsg/debian/control --- xymon-4.3.0~beta2.dfsg/debian/control +++ xymon-4.3.0~beta2.dfsg/debian/control @@ -1,7 +1,8 @@ Source: xymon Section: net Priority: extra -Maintainer: Christoph Berg +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Christoph Berg Build-Depends: debhelper (>= 7), librrd-dev, libssl-dev, libldap2-dev, libpcre3-dev, imagemagick, po-debconf, quilt (>= 0.40) Standards-Version: 3.8.3 diff -u xymon-4.3.0~beta2.dfsg/debian/changelog xymon-4.3.0~beta2.dfsg/debian/changelog --- xymon-4.3.0~beta2.dfsg/debian/changelog +++ xymon-4.3.0~beta2.dfsg/debian/changelog @@ -1,3 +1,13 @@ +xymon (4.3.0~beta2.dfsg-5ubuntu0.1) lucid-security; urgency=low + + * SECURITY UPDATE: Multiple cross site scripting (XSS) vulnerabilities + (LP: #1092412) + - debian/patches/9-CVE-2011-1716.patch: show user input as html quoted + output. Based on upstream changes. + - CVE-2011-1716 + + -- Christian Kuersteiner Tue, 15 Jan 2013 13:39:32 +0700 + xymon (4.3.0~beta2.dfsg-5) unstable; urgency=low * Add HTMLCHARSET headers to all html pages generated. diff -u xymon-4.3.0~beta2.dfsg/debian/patches/series xymon-4.3.0~beta2.dfsg/debian/patches/series --- xymon-4.3.0~beta2.dfsg/debian/patches/series +++ xymon-4.3.0~beta2.dfsg/debian/patches/series @@ -16,0 +17 @@ +9-CVE-2011-1716 only in patch2: unchanged: --- xymon-4.3.0~beta2.dfsg.orig/debian/patches/9-CVE-2011-1716 +++ xymon-4.3.0~beta2.dfsg/debian/patches/9-CVE-2011-1716 @@ -0,0 +1,705 @@ +Description: fix for XSS vulnerabilities in Web UI +Origin: upstream +Author: ckuerste@gmx.ch +Bug: http://xymon.svn.sourceforge.net/viewvc/xymon/branches/4.3.2/Changes?revision=6673&view=markup +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/precise/+source/xymon/+bug/1092412 +Index: xymon-4.3.0~beta2.dfsg/lib/eventlog.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/lib/eventlog.c 2009-02-19 17:46:56.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/lib/eventlog.c 2013-01-14 15:22:29.482972789 +0700 +@@ -544,7 +544,7 @@ + if (fromtime) { + firstevent = eventreport_time(fromtime); + if(firstevent < 0) { +- if (output) fprintf(output,"Invalid 'from' time: %s", fromtime); ++ if (output) fprintf(output,"Invalid 'from' time: %s", htmlquoted(fromtime)); + return; + } + } +@@ -562,7 +562,7 @@ + if (totime) { + lastevent = eventreport_time(totime); + if (lastevent < 0) { +- if (output) fprintf(output,"Invalid 'to' time: %s", totime); ++ if (output) fprintf(output,"Invalid 'to' time: %s", htmlquoted(totime)); + return; + } + if (lastevent < firstevent) { +@@ -715,7 +715,7 @@ + countlist_t *cwalk; + unsigned long totalcount = 0; + +- if (periodstring) fprintf(output, "

%s

\n", periodstring); ++ if (periodstring) fprintf(output, "

%s

\n", htmlquoted(periodstring)); + + switch (sumtype) { + case S_HOST_BREAKDOWN: +@@ -778,7 +778,7 @@ + fprintf(output, "

\n"); + fprintf(output, "\n"); + fprintf(output, "\n"); +- fprintf(output, "\n", title); ++ fprintf(output, "\n", htmlquoted(title)); + + for (ewalk=eventhead; (ewalk); ewalk=ewalk->next) { + char *hostname = bbh_item(ewalk->host, BBH_HOSTNAME); +@@ -835,7 +835,7 @@ + fprintf(output, "

\n"); + fprintf(output, "
%s
%s
\n", title); + fprintf(output, "\n"); +- fprintf(output, "\n", title); ++ fprintf(output, "\n", htmlquoted(title)); + fprintf(output, "\n"); + fprintf(output, "
%s%s
\n"); + fprintf(output, "\n"); +Index: xymon-4.3.0~beta2.dfsg/lib/headfoot.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/lib/headfoot.c 2009-02-17 23:05:46.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/lib/headfoot.c 2013-01-14 15:27:15.138971622 +0700 +@@ -1463,7 +1463,7 @@ + xfree(templatedata); + } + else { +- fprintf(output, " \n
\n
%s is either missing or invalid, please create this file with your custom header
\n
", filename); ++ fprintf(output, " \n
\n
%s is either missing or invalid, please create this file with your custom header
\n
", htmlquoted(filename)); + } + + /* Check for bulletin files */ +Index: xymon-4.3.0~beta2.dfsg/lib/htmllog.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/lib/htmllog.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/lib/htmllog.c 2013-01-14 16:40:34.850953635 +0700 +@@ -80,7 +80,7 @@ + \ + \ + \n", +- cgibinurl, btntxt, hostname, service, ip, displayname); ++ cgibinurl, htmlquoted(btntxt), htmlquoted(hostname), htmlquoted(service), htmlquoted(ip), htmlquoted(displayname)); + } + + xfree(tmp2); +@@ -161,7 +161,7 @@ + + hostsvc_setup(); + if (!displayname) displayname = hostname; +- sethostenv(displayname, ip, service, colorname(color), hostname); ++ sethostenv(htmlquoted(displayname), htmlquoted(ip), htmlquoted(service), colorname(color), htmlquoted(hostname)); + if (logtime) sethostenv_snapshot(logtime); + + if (is_history) tplfile = "histlog"; +@@ -254,9 +254,9 @@ + strftime(untilstr, sizeof(untilstr)-1, "%Y-%m-%d %H:%M", localtime(&validuntil)); + fprintf(output, ""); + fprintf(output, "%d", ackfont, level); +- fprintf(output, "%s", ackfont, ackedby); ++ fprintf(output, "%s", ackfont, htmlquoted(ackedby)); + fprintf(output, "%s - %s", ackfont, receivedstr, untilstr); +- fprintf(output, "%s", ackfont, msg); ++ fprintf(output, "%s", ackfont, htmlquoted(msg)); + fprintf(output, "\n"); + } + +@@ -274,12 +274,12 @@ + } + + fprintf(output, "
\n"); +- if (wantserviceid) fprintf(output, "\n", rowfont, displayname, service); ++ if (wantserviceid) fprintf(output, "\n", rowfont, htmlquoted(displayname), htmlquoted(service)); + + if (disabletime != 0) { + fprintf(output, "\n", + (disabletime == -1 ? "OK" : ctime(&disabletime))); +- fprintf(output, "\n", dismsg); ++ fprintf(output, "\n", htmlquoted(dismsg)); + fprintf(output, "\n"); + + fprintf(output, "\n", dismsg); ++ fprintf(output, "\n", htmlquoted(dismsg)); + fprintf(output, "\n"); + } + +@@ -333,12 +333,12 @@ + if (ackedby) { + *ackedby = '\0'; + fprintf(output, "Current acknowledgment: %s
%s
%s
\n", +- ackfont, ackmsg, (ackedby+1), ackuntil); ++ ackfont, htmlquoted(ackmsg), (ackedby+1), ackuntil); + *ackedby = '\n'; + } + else { + fprintf(output, "Current acknowledgment: %s
%s
\n", +- ackfont, ackmsg, ackuntil); ++ ackfont, htmlquoted(ackmsg), ackuntil); + } + + MEMUNDEFINE(ackuntil); +Index: xymon-4.3.0~beta2.dfsg/lib/notifylog.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/lib/notifylog.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/lib/notifylog.c 2013-01-15 10:08:48.553849002 +0700 +@@ -120,7 +120,7 @@ + if (fromtime) { + firstevent = convert_time(fromtime); + if(firstevent < 0) { +- fprintf(output,"Invalid 'from' time: %s", fromtime); ++ fprintf(output,"Invalid 'from' time: %s", htmlquoted(fromtime)); + return; + } + } +@@ -134,7 +134,7 @@ + if (totime) { + lastevent = convert_time(totime); + if (lastevent < 0) { +- fprintf(output,"Invalid 'to' time: %s", totime); ++ fprintf(output,"Invalid 'to' time: %s", htmlquoted(totime)); + return; + } + if (lastevent < firstevent) { +@@ -314,7 +314,7 @@ + fprintf(output, "

\n"); + fprintf(output, "
%s - %s
%s - %s

Disabled until %s

%s
%s

Current status message follows:

"); +@@ -295,7 +295,7 @@ + char *txt = skipword(firstline); + + if (dismsg) { +- fprintf(output, "

Planned downtime: %s

Planned downtime: %s


Current status message follows:

\n"); + fprintf(output, "\n"); +- fprintf(output, "\n", title); ++ fprintf(output, "\n", htmlquoted(title)); + fprintf(output, "\n"); + + for (walk=head; (walk != lasttoshow->next); walk=walk->next) { +@@ -352,7 +352,7 @@ + fprintf(output, "

\n"); + fprintf(output, "
%s
%s
TimeHostServiceRecipient
\n", title); + fprintf(output, "\n"); +- fprintf(output, "\n", title); ++ fprintf(output, "\n", htmlquoted(title)); + fprintf(output, "\n"); + fprintf(output, "
%s%s
\n"); + fprintf(output, "
\n"); +Index: xymon-4.3.0~beta2.dfsg/lib/reportlog.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/lib/reportlog.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/lib/reportlog.c 2013-01-15 10:11:42.753851953 +0700 +@@ -34,7 +34,7 @@ + int curbg = 0; + + if (!displayname) displayname = hostname; +- sethostenv(displayname, ip, service, colorname(color), hostname); ++ sethostenv(htmlquoted(displayname), htmlquoted(ip), htmlquoted(service), colorname(color), htmlquoted(hostname)); + sethostenv_report(st, end, reportwarnlevel, reportgreenlevel); + + headfoot(htmlrep, "replog", "", "header", color); +@@ -42,7 +42,7 @@ + fprintf(htmlrep, "\n"); + + fprintf(htmlrep, "
\n"); +- fprintf(htmlrep, "
%s - %s\n", xgetenv("MKBBROWFONT"), displayname, service); ++ fprintf(htmlrep, "
%s - %s\n", xgetenv("MKBBROWFONT"), htmlquoted(displayname), htmlquoted(service)); + fprintf(htmlrep, "\n"); + fprintf(htmlrep, "\n"); + +Index: xymon-4.3.0~beta2.dfsg/lib/strfunc.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/lib/strfunc.c 2009-02-26 17:14:12.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/lib/strfunc.c 2013-01-15 10:22:27.881862885 +0700 +@@ -177,3 +177,35 @@ + *(buf->s+buf->used) = '\0'; + } + ++char *htmlquoted(char *s) ++{ ++ /* ++ * This routine converts a plain string into an html-quoted string ++ */ ++ ++ static strbuffer_t *result = NULL; ++ char *inp, *endp; ++ char c; ++ ++ if (!result) result = newstrbuffer(4096); ++ clearstrbuffer(result); ++ ++ inp= s; ++ do { ++ endp = inp + strcspn(inp, "\"&<> "); ++ c = *endp; ++ if (endp > inp) addtobufferraw(result, inp, endp-inp); ++ switch (c) { ++ case '"': addtobuffer(result, """); break; ++ case '&': addtobuffer(result, "&"); break; ++ case '<': addtobuffer(result, "<"); break; ++ case '>': addtobuffer(result, ">"); break; ++ case ' ': addtobuffer(result, " "); break; ++ default: break; ++ } ++ inp = (c == '\0') ? NULL : endp+1; ++ } while (inp); ++ ++ return STRBUF(result); ++} ++ +Index: xymon-4.3.0~beta2.dfsg/lib/strfunc.h +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/lib/strfunc.h 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/lib/strfunc.h 2013-01-15 10:24:18.765864763 +0700 +@@ -24,6 +24,7 @@ + extern void strbufferrecalc(strbuffer_t *buf); + extern void strbuffergrow(strbuffer_t *buf, int bytes); + extern void strbufferuse(strbuffer_t *buf, int bytes); ++extern char *htmlquoted(char *s); + + #endif + +Index: xymon-4.3.0~beta2.dfsg/web/hobbit-ackinfo.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/hobbit-ackinfo.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/hobbit-ackinfo.c 2013-01-15 10:25:38.277866111 +0700 +@@ -122,7 +122,7 @@ + fprintf(stdout, "Content-type: %s\n", xgetenv("HTMLCONTENTTYPE")); + fprintf(stdout, "Location: %s\n", getenv("HTTP_REFERER")); + fprintf(stdout, "\n"); +- fprintf(stdout, "Sent to hobbitd:\n%s\n", bbmsg); ++ fprintf(stdout, "Sent to hobbitd:\n%s\n", htmlquoted(bbmsg)); + + return 0; + } +Index: xymon-4.3.0~beta2.dfsg/web/bb-ack.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/bb-ack.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/bb-ack.c 2013-01-15 10:27:29.645867998 +0700 +@@ -159,16 +159,16 @@ + + fprintf(output, "\n"); + +- fprintf(output, " \n", (hname ? hname : " ")); +- fprintf(output, " \n", (tname ? tname : " ")); ++ fprintf(output, " \n", (hname ? htmlquoted(hname) : " ")); ++ fprintf(output, " \n", (tname ? htmlquoted(tname) : " ")); + fprintf(output, " \n", numstr); + fprintf(output, " \n", numstr); + + fprintf(output, " \n", +- hostname, enabletest[i], ((result == BB_OK) ? "OK" : "Failed")); ++ htmlquoted(hostname), htmlquoted(enabletest[i]), ((result == BB_OK) ? "OK" : "Failed")); + } + } + break; +@@ -219,7 +219,7 @@ + + if (preview) { + printf("\n", +- hostname, disabletest[i], ((result == BB_OK) ? "OK" : "Failed")); ++ htmlquoted(hostname), htmlquoted(disabletest[i]), ((result == BB_OK) ? "OK" : "Failed")); + } + } + break; +@@ -232,7 +232,7 @@ + + if (preview) { + printf("\n", +- hostname, disabletest[i], ctime(&schedtime), ((result == BB_OK) ? "OK" : "Failed")); ++ htmlquoted(hostname), htmlquoted(disabletest[i]), ctime(&schedtime), ((result == BB_OK) ? "OK" : "Failed")); + } + } + break; +Index: xymon-4.3.0~beta2.dfsg/web/hobbit-nkedit.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/hobbit-nkedit.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/hobbit-nkedit.c 2013-01-15 10:29:05.789869623 +0700 +@@ -231,7 +231,7 @@ + if (rec) sethostenv_nkedit(rec->updinfo, rec->priority, rec->ttgroup, rec->starttime, rec->endtime, rec->nktime, rec->ttextra); + else sethostenv_nkedit("", 0, NULL, 0, 0, NULL, NULL); + +- sethostenv(hostname, "", service, colorname(COL_BLUE), NULL); ++ sethostenv(htmlquoted(hostname), "", htmlquoted(service), colorname(COL_BLUE), NULL); + + *warnmsg = '\0'; + if (!rec && nodatawarning) sprintf(warnmsg, "\n", nodatawarning); +Index: xymon-4.3.0~beta2.dfsg/web/bb-eventlog.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/bb-eventlog.c 2009-02-16 19:16:03.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/bb-eventlog.c 2013-01-15 10:34:26.261875057 +0700 +@@ -337,9 +337,9 @@ + parse_query(); + + if ((*periodstring == '\0') && (fromtime || totime)) { +- if (fromtime && totime) sprintf(periodstring, "Events between %s - %s", fromtime, totime); +- else if (fromtime) sprintf(periodstring, "Events since %s", fromtime); +- else if (totime) sprintf(periodstring, "Events until %s", totime); ++ if (fromtime && totime) sprintf(periodstring, "Events between %s - %s", htmlquoted(fromtime), htmlquoted(totime)); ++ else if (fromtime) sprintf(periodstring, "Events since %s", htmlquoted(fromtime)); ++ else if (totime) sprintf(periodstring, "Events until %s", htmlquoted(totime)); + } + + /* Now generate the webpage */ +Index: xymon-4.3.0~beta2.dfsg/web/bb-findhost.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/bb-findhost.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/bb-findhost.c 2013-01-15 10:35:59.465876637 +0700 +@@ -163,7 +163,7 @@ + regerror(re_status, &re, re_errstr, BUFSIZE); + + print_header(); +- printf("\n", pSearchPat); ++ printf("\n", htmlquoted(pSearchPat)); + printf("\n", re_errstr); + print_footer(); + +@@ -254,7 +254,7 @@ + + print_header(); + if (!gotany) { +- printf("\n", pSearchPat); ++ printf("\n", htmlquoted(pSearchPat)); + } + else { + printf("%s", grabstrbuffer(outbuf)); +Index: xymon-4.3.0~beta2.dfsg/web/bb-hist.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/bb-hist.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/bb-hist.c 2013-01-15 10:38:32.305879224 +0700 +@@ -510,14 +510,14 @@ + int entrycount, /* Log entry maxcount */ + replog_t *loghead) /* Eventlog for entrycount events back */ + { +- sethostenv(displayname, ip, service, colorname(COL_GREEN), hostname); ++ sethostenv(htmlquoted(displayname), htmlquoted(ip), htmlquoted(service), colorname(COL_GREEN), htmlquoted(hostname)); + headfoot(htmlrep, "hist", "", "header", COL_GREEN); + + fprintf(htmlrep, "\n"); + fprintf(htmlrep, "
\n"); + if (wantserviceid) { + fprintf(htmlrep, "
%s - %s
\n", +- xgetenv("MKBBROWFONT"), displayname, service); ++ xgetenv("MKBBROWFONT"), htmlquoted(displayname), htmlquoted(service)); + } + + /* Create the color-bars */ +Index: xymon-4.3.0~beta2.dfsg/web/bb-rep.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/bb-rep.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/bb-rep.c 2013-01-15 10:40:43.105881441 +0700 +@@ -288,7 +288,7 @@ + strftime(endstr, sizeof(endstr), "%b %d %Y", localtime(&endtime)); + printf("
 \n"); + printf("



\n"); +- printf("

Generating report for the period: %s - %s (%s)
\n", startstr, endstr, style); ++ printf("

Generating report for the period: %s - %s (%s)
\n", htmlquoted(startstr), htmlquoted(endstr), htmlquoted(style)); + printf("

\n"); + fflush(stdout); + } +Index: xymon-4.3.0~beta2.dfsg/web/hobbitgraph.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/hobbitgraph.c 2009-02-17 18:53:17.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/hobbitgraph.c 2013-01-15 10:45:19.653886128 +0700 +@@ -640,9 +640,9 @@ + switch (action) { + case ACT_MENU: + fprintf(output, "

\n", +- uri, grtype, grtype); ++ uri, htmlquoted(grtype), htmlquoted(grtype)); + fprintf(output, " \n", +- uri, grtype, colorname(bgcolor), getenv("BBSKIN")); ++ uri, htmlquoted(grtype), colorname(bgcolor), getenv("BBSKIN")); + break; + + case ACT_SELZOOM: +@@ -650,7 +650,7 @@ + if (graphstart == 0) gstart = gend - persecs; else gstart = graphstart; + + fprintf(output, " \n"); +@@ -700,7 +700,7 @@ + { + /* This is special-handled, because we just want to generate an HTML link page */ + fprintf(stdout, "Content-type: %s\n\n", xgetenv("HTMLCONTENTTYPE")); +- sethostenv(displayname, "", service, colorname(bgcolor), hostname); ++ sethostenv(htmlquoted(displayname), "", htmlquoted(service), colorname(bgcolor), htmlquoted(hostname)); + sethostenv_backsecs(backsecs); + + headfoot(stdout, "graphs", "", "header", bgcolor); +@@ -882,7 +882,7 @@ + char msg[8192]; + + snprintf(msg, sizeof(msg), "hobbitgraph.cfg error, PCRE pattern %s invalid: %s, offset %d\n", +- gdef->fnpat, errmsg, errofs); ++ htmlquoted(gdef->fnpat), errmsg, errofs); + errormsg(msg); + } + if (gdef->exfnpat) { +@@ -892,7 +892,7 @@ + + snprintf(msg, sizeof(msg), + "hobbitgraph.cfg error, PCRE pattern %s invalid: %s, offset %d\n", +- gdef->exfnpat, errmsg, errofs); ++ htmlquoted(gdef->exfnpat), errmsg, errofs); + errormsg(msg); + } + } +@@ -1130,7 +1130,7 @@ + void generate_zoompage(char *selfURI) + { + fprintf(stdout, "Content-type: %s\n\n", xgetenv("HTMLCONTENTTYPE")); +- sethostenv(displayname, "", service, colorname(bgcolor), hostname); ++ sethostenv(htmlquoted(displayname), "", htmlquoted(service), colorname(bgcolor), htmlquoted(hostname)); + headfoot(stdout, "graphs", "", "header", bgcolor); + + +Index: xymon-4.3.0~beta2.dfsg/web/bb-snapshot.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/bb-snapshot.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/bb-snapshot.c 2013-01-15 10:47:11.717888027 +0700 +@@ -218,7 +218,7 @@ + strftime(startstr, sizeof(startstr), "%b %d %Y", localtime(&starttime)); + printf("
 \n"); + printf("



\n"); +- printf("

Generating snapshot: %s
\n", startstr); ++ printf("

Generating snapshot: %s
\n", htmlquoted(startstr)); + printf("

\n"); + fflush(stdout); + } +Index: xymon-4.3.0~beta2.dfsg/web/hobbit-statusreport.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/hobbit-statusreport.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/hobbit-statusreport.c 2013-01-15 10:51:02.117891927 +0700 +@@ -129,7 +129,7 @@ + if (!embedded) { + printf("Content-type: %s\n\n", xgetenv("HTMLCONTENTTYPE")); + +- printf("%s\n", heading); ++ printf("%s\n", htmlquoted(heading)); + printf(""); + printf("

%s%s%s%s\n"); + if (ackcode && hname && tname) { +- fprintf(output, " \n", num, ackcode); +- fprintf(output, " \n", num, hname); +- fprintf(output, " \n", num, tname); ++ fprintf(output, " \n", num, htmlquoted(ackcode)); ++ fprintf(output, " \n", num, htmlquoted(hname)); ++ fprintf(output, " \n", num, htmlquoted(tname)); + fprintf(output, " \n", num); + } + else { +Index: xymon-4.3.0~beta2.dfsg/web/hobbit-enadis.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/hobbit-enadis.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/hobbit-enadis.c 2013-01-15 10:32:47.153873377 +0700 +@@ -199,7 +199,7 @@ + + if (preview) { + printf("
Enabling host %s test %s : %s
Disabling host %s test %s: %s
Scheduling disable of host %s test %s at %s: %s
%s
%s%s
%sNot found
%sNot found
\"%s \"Zoom \"Zoom
\n", + (showcolumn ? "Host/Column" : "Host")); +@@ -157,16 +157,16 @@ + printf("\n", +- itmcolor, hostsvcurl(hostname, testname, 1), testname); ++ itmcolor, hostsvcurl(hostname, testname, 1), htmlquoted(testname)); + addtobuffer(cmsg, l); + row = strtok_r(NULL, "\n", &p_row); + } +@@ -422,7 +422,7 @@ + addtobuffer(cmsg, "
%sStatus
"); + + if (addlink) +- printf("%s", hostsvcurl(hostname, xgetenv("INFOCOLUMN"), 1), hostname); ++ printf("%s", hostsvcurl(hostname, xgetenv("INFOCOLUMN"), 1), htmlquoted(hostname)); + else +- printf("%s", hostname); ++ printf("%s", htmlquoted(hostname)); + + if (showcolumn) { + printf("
"); + if (addlink) +- printf("%s", hostsvcurl(hostname, testname, 1), testname); ++ printf("%s", hostsvcurl(hostname, testname, 1), htmlquoted(testname)); + else +- printf("%s", testname); ++ printf("%s", htmlquoted(testname)); + } + + if (showcolors) printf(" - %s", colorstr); +Index: xymon-4.3.0~beta2.dfsg/web/hobbitsvc.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/hobbitsvc.c 2009-02-19 19:04:58.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/hobbitsvc.c 2013-01-15 10:56:30.809897493 +0700 +@@ -139,10 +139,10 @@ + char *p, *req; + + req = getenv("SCRIPT_NAME"); +- clienturi = (char *)malloc(strlen(req) + 10 + strlen(hostname)); ++ clienturi = (char *)malloc(strlen(req) + 10 + strlen(htmlquoted(hostname))); + strcpy(clienturi, req); + p = strchr(clienturi, '?'); if (p) *p = '\0'; else p = clienturi + strlen(clienturi); +- sprintf(p, "?CLIENT=%s", hostname); ++ sprintf(p, "?CLIENT=%s", htmlquoted(hostname)); + } + + return 0; +@@ -240,7 +240,7 @@ + else if ((strcmp(service, xgetenv("TRENDSCOLUMN")) == 0) || (strcmp(service, xgetenv("INFOCOLUMN")) == 0)) { + if (loadhostdata(hostname, &ip, &displayname, &compacts) != 0) return 1; + ishtmlformatted = 1; +- sethostenv(displayname, ip, service, colorname(COL_GREEN), hostname); ++ sethostenv(htmlquoted(displayname), htmlquoted(ip), htmlquoted(service), colorname(COL_GREEN), htmlquoted(hostname)); + sethostenv_refresh(600); + color = COL_GREEN; + logtime = getcurrenttime(NULL); +@@ -383,7 +383,7 @@ + displayname = ((items[16] && *items[16]) ? items[16] : hostname); + clntstamp = ((items[17] && *items[17]) ? atol(items[17]) : 0); + +- sethostenv(displayname, ip, service, colorname(COL_GREEN), hostname); ++ sethostenv(htmlquoted(displayname), htmlquoted(ip), htmlquoted(service), colorname(COL_GREEN), htmlquoted(hostname)); + sethostenv_refresh(60); + } + else { +@@ -414,7 +414,7 @@ + if (icolor > color) color = icolor; + + sprintf(l, "
&%s %s
\n"); + ishtmlformatted = 1; + +- sethostenv(displayname, ip, service, colorname(color), hostname); ++ sethostenv(htmlquoted(displayname), htmlquoted(ip), htmlquoted(service), colorname(color), htmlquoted(hostname)); + sethostenv_refresh(60); + logtime = getcurrenttime(NULL); + strcpy(timesincechange, "0 minutes"); +@@ -549,9 +549,9 @@ + errprintf("Cannot find hostdata files for host %s\n", hostname); + } + else { +- clienturi = (char *)malloc(strlen(cgiurl) + 20 + strlen(hostname)); ++ clienturi = (char *)malloc(strlen(cgiurl) + 20 + strlen(htmlquoted(hostname))); + sprintf(clienturi, "%s/bb-hostsvc.sh?CLIENT=%s&TIMEBUF=%s", +- cgiurl, hostname, clientid); ++ cgiurl, htmlquoted(hostname), clientid); + } + } + else { +Index: xymon-4.3.0~beta2.dfsg/web/hobbitsvc-info.c +=================================================================== +--- xymon-4.3.0~beta2.dfsg.orig/web/hobbitsvc-info.c 2009-02-12 20:09:34.000000000 +0700 ++++ xymon-4.3.0~beta2.dfsg/web/hobbitsvc-info.c 2013-01-15 11:04:34.461905691 +0700 +@@ -225,7 +225,7 @@ + char l[1024]; + int i, rcount; + +- sprintf(l, "\n", hostname); ++ sprintf(l, "
\n", htmlquoted(hostname)); + addtobuffer(buf, l); + addtobuffer(buf, "\n"); + +@@ -272,7 +272,7 @@ + + holidayset = bbh_item(hi, BBH_HOLIDAYS); + +- sprintf(l, "
ServiceRecipient1st DelayStop afterRepeatTime of DayColors
\n", hostname); ++ sprintf(l, "
\n", htmlquoted(hostname)); + addtobuffer(buf, l); + + addtobuffer(buf, ""); +@@ -450,7 +450,7 @@ + + sprintf(l, "\n", xgetenv("SECURECGIBINURL")); + addtobuffer(buf, l); +- sprintf(l, "
\n", hostname); ++ sprintf(l, "
\n", htmlquoted(hostname)); + addtobuffer(buf, l); + + addtobuffer(buf, "\n"); +@@ -562,7 +562,7 @@ + + addtobuffer(buf, "
\n"); + +- sprintf(l, "\n", hostname); ++ sprintf(l, "\n", htmlquoted(hostname)); + addtobuffer(buf, l); + addtobuffer(buf, "\n"); + } +@@ -573,7 +573,7 @@ + char l[1024]; + char *msg, *eoln; + +- sprintf(l, "\n", hostname); ++ sprintf(l, "
\n", htmlquoted(hostname)); + addtobuffer(buf, l); + + addtobuffer(buf, "\n"); +@@ -594,17 +594,17 @@ + addtobuffer(buf, "\n"); + + addtobuffer(buf, "
TestDisabled untilCause 
"); + while ((eoln = strchr(msg, '\n')) != NULL) { + *eoln = '\0'; +- addtobuffer(buf, msg); ++ addtobuffer(buf, htmlquoted(msg)); + addtobuffer(buf, "
"); + msg = (eoln + 1); + } +- addtobuffer(buf, msg); ++ addtobuffer(buf, htmlquoted(msg)); + addtobuffer(buf, "		"); + sprintf(l, "
\n", xgetenv("SECURECGIBINURL")); + addtobuffer(buf, l); +- sprintf(l, "\n", hostname); ++ sprintf(l, "\n", htmlquoted(hostname)); + addtobuffer(buf, l); + sprintf(l, "\n", tnames[i].name); + addtobuffer(buf, l); +@@ -620,7 +620,7 @@ + addtobuffer(buf, "
"); + sprintf(l, "\n", xgetenv("SECURECGIBINURL")); + addtobuffer(buf, l); +- sprintf(l, "\n", hostname); ++ sprintf(l, "\n", htmlquoted(hostname)); + addtobuffer(buf, l); + sprintf(l, "\n", "*"); + addtobuffer(buf, l); +@@ -640,7 +640,7 @@ + sched_t *swalk; + char *msg, *eoln; + +- sprintf(l, "\n", hostname); ++ sprintf(l, "
\n", htmlquoted(hostname)); + addtobuffer(buf, l); + + addtobuffer(buf, "\n"); +@@ -658,17 +658,17 @@ + addtobuffer(buf, "\n"); + + addtobuffer(buf, "\n", +- val, hostname); ++ val, htmlquoted(hostname)); + } + else { +- sprintf(l, "\n", hostname); ++ sprintf(l, "\n", htmlquoted(hostname)); + } + addtobuffer(infobuf, l); +
IDWhenCommand 
"); + while ((eoln = strchr(msg, '\n')) != NULL) { + *eoln = '\0'; +- addtobuffer(buf, msg); ++ addtobuffer(buf, htmlquoted(msg)); + addtobuffer(buf, "
"); + msg = (eoln + 1); + } +- addtobuffer(buf, msg); ++ addtobuffer(buf, htmlquoted(msg)); + addtobuffer(buf, "		"); + sprintf(l, "\n", xgetenv("SECURECGIBINURL")); + addtobuffer(buf, l); +- sprintf(l, "\n", hostname); ++ sprintf(l, "\n", htmlquoted(hostname)); + addtobuffer(buf, l); + sprintf(l, "\n", swalk->id); + addtobuffer(buf, l); +@@ -720,10 +720,10 @@ + val = bbh_item(hostwalk, BBH_DISPLAYNAME); + if (val && (strcmp(val, hostname) != 0)) { + sprintf(l, "
Hostname:%s (%s)
Hostname:%s
Hostname:%s