Package: munin-plugins-core
Version: 2.0.21-2
Severity: normal

Dear Maintainer,

the munin plugin http_loadtime uses incorrect shell escaping of parameters.

I noticed odd requests in my BIND log:

error (unexpected RCODE SERVFAIL) resolving 
'http_loadtime\".$searchlist/AAAA/IN': ...

(where I replaced my default domain with $searchlist and the DNS server address 
with ...)

I traced those requests to the munin plugin http_loadtime, which sets an 
environment variable for wget options like this:

wget_opt="--user-agent \"Munin - http_loadtime\" --no-cache -q --delete-after"

and expands them in this expression:

loadtime=$(cd $TEMPO_DIR && $time_bin --quiet -f "%e" wget $wget_opt $target 
2>&1)

Apparently that doesn't work, as the double quote ends up in the arguments of 
wget.

For comparison, equivalent commands in an interactive shell show what happens:

kosh@cindy:/tmp$ export target=${target:-"http://localhost/"}
kosh@cindy:/tmp$ export wget_opt="--user-agent \"Munin - http_loadtime\" 
--no-cache --delete-after"
kosh@cindy:/tmp$ wget $wget_opt $target
--2014-07-02 17:05:12--  http://-/
Resolving - (-)... failed: Name or service not known.
wget: unable to resolve host address ‘-’
--2014-07-02 17:05:12--  http://http_loadtime%22/
Resolving http_loadtime" (http_loadtime")... failed: Name or service not known.
wget: unable to resolve host address ‘http_loadtime"’
--2014-07-02 17:05:12--  http://localhost/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 550 [text/html]
Saving to: ‘index.html’

100%[=====================================================================================================================================================================================================>]
 550         --.-K/s   in 0s      

2014-07-02 17:05:12 (140 MB/s) - ‘index.html’ saved [550/550]

Removing index.html.
FINISHED --2014-07-02 17:05:12--
Total wall clock time: 0.1s
Downloaded: 1 files, 550 in 0s (140 MB/s)

Cheers,
Marc

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (745, 'testing'), (255, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages munin-plugins-core depends on:
ii  munin-common  2.0.21-2
ii  perl          5.18.2-4

Versions of packages munin-plugins-core recommends:
pn  libnet-snmp-perl  <none>

Versions of packages munin-plugins-core suggests:
ii  conntrack                     1:1.4.1-1
pn  libnet-netmask-perl           <none>
pn  libnet-telnet-perl            <none>
ii  libxml-parser-perl            2.41-1+b2
ii  python                        2.7.6-2
ii  ruby                          1:2.1.0.1
ii  ruby1.9.1 [ruby-interpreter]  1.9.3.484-2
ii  ruby2.0 [ruby-interpreter]    2.0.0.484+really457-3
ii  ruby2.1 [ruby-interpreter]    2.1.2-2

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to