Forum: >>> Magnum BBS <<<

Bug#182799: mon: monshow in cgi mode broken, dependencies on some alert

From Roderick Schertler@1:229/2 to Anton Ivanov on Fri Aug 20 20:00:14 2004

From: [email protected]

On Thu, 27 Feb 2003 23:09:06 +0000, Anton Ivanov <[email protected]> said:

1. The moshow script does not parse CGI args correctly. Primary reason
is that the author still uses medieval CGI arg parsing by hand
instead of using CGI.pm. As a result you cannot run multiple mon
instances on several machines and control them from one CGI because
all args but passed to the CGI script are garbled. The attached
diff fixes that.

2. The DNS alert depends on libnet:dns, the freespace alert depends on
the freespace modules, ad naseum

The package already suggests such modules. See ticket #181778 for more
info.

3. The freespace alert is broken. It cannot handle any host args when
it gets them. Fix is "bleeding obvious" so not quoted.

You're supposed to use ";;" to prevent passing the host names to the
alert, as described in README.monitors and shown in the example there.

*** monshow.old Thu Feb 27 23:01:30 2003
--- monshow Thu Feb 27 23:00:53 2003
***************
*** 57,63 ****
my $VIEWPATH = "/etc/mon/monshow";

my %OPSTAT = %Mon::Client::OPSTAT;
! my $WORD = '[a-zA-Z0-9_-]+';
my $OUT_BUF = "";
my $e;
$= = 1000;
--- 57,63 ----
my $VIEWPATH = "/etc/mon/monshow";

my %OPSTAT = %Mon::Client::OPSTAT;
! my $WORD = '[,.a-zA-Z0-9_-]+';
my $OUT_BUF = "";
my $e;
$= = 1000;
***************
*** 100,113 ****

if ($CGI)
{
! foreach my $e (split (/\?/, $ENV{"QUERY_STRING"}))
! {
! next if ($e !~ /=/);
!
! my ($var, $val) = split (/=/, $e);

- $QUERY_ARGS{$var} = $val;
- }
}

my $CF = {
--- 100,124 ----

if ($CGI)
{
! # foreach my $e (split (/\?/, $ENV{"QUERY_STRING"}))
! # {
! # next if ($e !~ /=/);
! #
! # my ($var, $val) = split (/=/, $e);
! #
! # $QUERY_ARGS{$var} = $val;
! # }
! foreach my $un_clean_param ($CGI->param) {
! if($un_clean_param =~ /($WORD)/) {
! $un_clean_param = $1;
! };
! my $un_clean_value = $CGI->param($un_clean_param);
! if($un_clean_value =~ /($WORD)/) {
! $un_clean_value =$1;
! };
! $QUERY_ARGS{$un_clean_param} = $un_clean_value;
! }

}

my $CF = {
***************
*** 122,127 ****
--- 133,142 ----
"summary-len" => 20,
};

+ if ($QUERY_ARGS{'server'}) {
+ $CF->{'host'} = $QUERY_ARGS{'server'};
+ }
+
my $GLOBAL = {
"view-name" => undef,
};
***************
*** 1099,1105 ****
if ($sref->{"ack"})
{
if ($CGI) {
! $STATUS = "<a href=\"$ENV{SCRIPT_NAME}?detail=$group,$service\">" .
"ACK FAIL</a>";
} else {
$STATUS = "ACK FAIL";
--- 1114,1120 ----
if ($sref->{"ack"})
{
if ($CGI) {
! $STATUS = "<a href=\"$ENV{SCRIPT_NAME}?detail=$group,$service&server=$CF->{'host'}\">" .
"ACK FAIL</a>";
} else {
$STATUS = "ACK FAIL";
***************
*** 1190,1196 ****
<tr $bgcolor>
<td> $DEP </td>
<td> $GROUP </td>
! <td> <a href="$ENV{SCRIPT_NAME}?detail=$group,$service">$SERVICE</a> </td>
<td> $DESC </td>
<td> $TIME </td>
<td> $NEXT </td>
--- 1205,1211 ----
<tr $bgcolor>
<td> $DEP </td>
<td> $GROUP </td>
! <td> <a href="$ENV{SCRIPT_NAME}?detail=$group,$service&server=$CF->{'host'}">$SERVICE</a> </td>
<td> $DESC </td>
<td> $TIME </td>
<td> $NEXT </td>
-- System Information
Debian Release: 3.0
Kernel Version: Linux magrat 2.4.19 #1 SMP Tue Oct 8 15:28:01 UTC 2002 i686 unknown

Versions of the packages mon depends on:
ii libc6 2.2.5-11.2 GNU C Library: Shared libraries and Timezone
ii libmon-perl 0.11-2 mon Perl modules for clients and server
ii libtime-hires- 1.20-4 High-resolution time manipulation in perl ii libtime-period 1.20-7 Perl library for testing if a time() is in a
ii perl 5.6.1-8.2 Larry Wall's Practical Extraction and Report

--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From Roderick Schertler@1:229/2 to All on Fri Aug 20 20:00:15 2004

From: [email protected]

Sorry, I sent the message I was editing by accident.

I'm going to look into the CGI parsing part.

Also, sorry for not responding to you sooner.

--
Roderick Schertler
[email protected]

--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From Roderick Schertler@1:229/2 to Anton Ivanov on Fri Aug 20 21:40:12 2004

From: [email protected]

severity 182799 normal
thanks

On Thu, 27 Feb 2003 23:09:06 +0000, Anton Ivanov <[email protected]> said:

1. The moshow script does not parse CGI args correctly. Primary reason
is that the author still uses medieval CGI arg parsing by hand
instead of using CGI.pm.

Certainly it's silly that they're parsing it by hand, especially since
they're already loading CGI.pm.

As a result you cannot run multiple mon instances on several machines
and control them from one CGI because all args but passed to the CGI
script are garbled.

But I think you're making a mistake here. Adding the ability to specify
the server via a CGI param is a security problem. You don't seem to be
giving the web server operator any way to restrict which servers they
might choose.

Do you have any reason to believe that the hand-crafted CGI parsing is
broken using the existing functionality in the program, rather than
using your server-param changes?

--
Roderick Schertler
[email protected]

--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	42:00:38
Calls:	12,109
Files:	15,006
Messages:	6,518,416

Bug#182799: mon: monshow in cgi mode broken, dependencies on some alert

Who's Online

System Info