tags 448371 patch thanks Hi
Attached you'll find the NMU proposal to fix the cross-site scripting. Patch is taken from upstream cvs. Please feel free to check and tell me about possible concerns. Otherwise, I will probably going to look over it tomorrow again and maybe upload. Cheers Steffen
diff -u nagios2-2.9/debian/patches/00list nagios2-2.9/debian/patches/00list
--- nagios2-2.9/debian/patches/00list
+++ nagios2-2.9/debian/patches/00list
@@ -2,0 +3 @@
+30_CVE-2007-5624.dpatch
diff -u nagios2-2.9/debian/changelog nagios2-2.9/debian/changelog
--- nagios2-2.9/debian/changelog
+++ nagios2-2.9/debian/changelog
@@ -1,3 +1,11 @@
+nagios2 (2.9-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the testing-security team
+ * Fix potential cross-site scripting in the CGIs (Closes: #448371)
+ Fixes: CVE-2007-5624
+
+ -- Steffen Joeris <[EMAIL PROTECTED]> Mon, 29 Oct 2007 15:30:47 +0000
+
nagios2 (2.9-1) unstable; urgency=low
* New upstream release (closes: #414647).
only in patch2:
unchanged:
--- nagios2-2.9.orig/debian/patches/30_CVE-2007-5624.dpatch
+++ nagios2-2.9/debian/patches/30_CVE-2007-5624.dpatch
@@ -0,0 +1,357 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 30_CVE-2007-5624.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+--- avail.c.orig 2007-10-29 08:07:10.000000000 +0000
++++ nagios2-2.9/cgi/avail.c 2007-10-29 08:06:48.000000000 +0000
+@@ -1157,6 +1157,7 @@
+ hostgroup_name="";
+ else
+ strcpy(hostgroup_name,variables[x]);
++ strip_html_brackets(hostgroup_name);
+ display_type=DISPLAY_HOSTGROUP_AVAIL;
+ show_all_hostgroups=(strcmp(hostgroup_name,"all"))?FALSE:TRUE;
+ }
+@@ -1174,6 +1175,7 @@
+ servicegroup_name="";
+ else
+ strcpy(servicegroup_name,variables[x]);
++ strip_html_brackets(servicegroup_name);
+ display_type=DISPLAY_SERVICEGROUP_AVAIL;
+ show_all_servicegroups=(strcmp(servicegroup_name,"all"))?FALSE:TRUE;
+ }
+@@ -1191,6 +1193,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+ display_type=DISPLAY_HOST_AVAIL;
+ show_all_hosts=(strcmp(host_name,"all"))?FALSE:TRUE;
+ }
+@@ -1208,6 +1211,7 @@
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+ display_type=DISPLAY_SERVICE_AVAIL;
+ show_all_services=(strcmp(svc_description,"all"))?FALSE:TRUE;
+ }
+--- cgiutils.c.orig 2007-10-29 15:05:31.000000000 +0000
++++ nagios2-2.9/cgi/cgiutils.c 2007-10-29 15:08:34.000000000 +0000
+@@ -1422,7 +1422,27 @@
+ return input;
+ }
+
++/* strip > and < from string */
++void strip_html_brackets(char *buffer){
++ register int x;
++ register int y;
++ register int z;
+
++ if(buffer==NULL || buffer[0]=='\x0')
++ return;
++
++ /* remove all occurances in string */
++ z=(int)strlen(buffer);
++ for(x=0,y=0;x<z;x++){
++ if(buffer[x]=='<' || buffer[x]=='>')
++ continue;
++ buffer[y++]=buffer[x];
++ }
++
++ buffer[y++]='\x0';
++
++ return;
++ }
+
+ /* determines the log file we should use (from current time) */
+ void get_log_archive_to_use(int archive,char *buffer,int buffer_length){
+--- histogram.c.orig 2007-10-29 15:09:12.000000000 +0000
++++ nagios2-2.9/cgi/histogram.c 2007-10-29 15:10:19.000000000 +0000
+@@ -1086,6 +1086,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+
+ display_type=DISPLAY_HOST_HISTOGRAM;
+ }
+@@ -1103,6 +1104,7 @@
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+
+ display_type=DISPLAY_SERVICE_HISTOGRAM;
+ }
+--- notifications.c.orig 2007-10-29 15:10:43.000000000 +0000
++++ nagios2-2.9/cgi/notifications.c 2007-10-29 15:12:23.000000000 +0000
+@@ -371,6 +371,7 @@
+ query_host_name=strdup(variables[x]);
+ if(query_host_name==NULL)
+ query_host_name="";
++ strip_html_brackets(query_host_name);
+ if(!strcmp(query_host_name,"all"))
+ find_all=TRUE;
+ else
+@@ -390,6 +391,7 @@
+
+ if(query_contact_name==NULL)
+ query_contact_name="";
++ strip_html_brackets(query_contact_name);
+ if(!strcmp(query_contact_name,"all"))
+ find_all=TRUE;
+ else
+@@ -408,6 +410,7 @@
+ query_svc_description=strdup(variables[x]);
+ if(query_svc_description==NULL)
+ query_svc_description="";
++ strip_html_brackets(query_svc_description);
+ }
+
+ /* we found the notification type argument */
+--- summary.c.orig 2007-10-29 15:13:55.000000000 +0000
++++ nagios2-2.9/cgi/summary.c 2007-10-29 15:15:18.000000000 +0000
+@@ -1135,6 +1135,7 @@
+ target_hostgroup_name="";
+ else
+ strcpy(target_hostgroup_name,variables[x]);
++ strip_html_brackets(target_hostgroup_name);
+
+ if(!strcmp(target_hostgroup_name,"all"))
+ show_all_hostgroups=TRUE;
+@@ -1157,6 +1158,7 @@
+ target_servicegroup_name="";
+ else
+ strcpy(target_servicegroup_name,variables[x]);
++ strip_html_brackets(target_servicegroup_name);
+
+ if(!strcmp(target_servicegroup_name,"all"))
+ show_all_servicegroups=TRUE;
+@@ -1179,6 +1181,7 @@
+ target_host_name="";
+ else
+ strcpy(target_host_name,variables[x]);
++ strip_html_brackets(target_host_name);
+
+ if(!strcmp(target_host_name,"all"))
+ show_all_hosts=TRUE;
+--- trends.c.orig 2007-10-29 15:15:39.000000000 +0000
++++ nagios2-2.9/cgi/trends.c 2007-10-29 15:16:36.000000000 +0000
+@@ -1207,6 +1207,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+
+ display_type=DISPLAY_HOST_TRENDS;
+ }
+@@ -1224,6 +1225,7 @@
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+
+ display_type=DISPLAY_SERVICE_TRENDS;
+ }
+--- extinfo.c.orig 2007-10-29 15:16:58.000000000 +0000
++++ nagios2-2.9/cgi/extinfo.c 2007-10-29 15:19:22.000000000 +0000
+@@ -604,6 +604,7 @@
+ host_name=strdup(variables[x]);
+ if(host_name==NULL)
+ host_name="";
++ strip_html_brackets(host_name);
+ }
+
+ /* we found the hostgroup name */
+@@ -617,6 +618,7 @@
+ hostgroup_name=strdup(variables[x]);
+ if(hostgroup_name==NULL)
+ hostgroup_name="";
++ strip_html_brackets(hostgroup_name);
+ }
+
+ /* we found the service name */
+@@ -630,6 +632,7 @@
+ service_desc=strdup(variables[x]);
+ if(service_desc==NULL)
+ service_desc="";
++ strip_html_brackets(service_desc);
+ }
+
+ /* we found the servicegroup name */
+@@ -643,6 +646,7 @@
+ servicegroup_name=strdup(variables[x]);
+ if(servicegroup_name==NULL)
+ servicegroup_name="";
++ strip_html_brackets(servicegroup_name);
+ }
+
+ /* we found the sort type argument */
+--- statuswml.c.orig 2007-10-29 15:19:41.000000000 +0000
++++ nagios2-2.9/cgi/statuswml.c 2007-10-29 15:21:15.000000000 +0000
+@@ -239,6 +239,7 @@
+ hostgroup_name="";
+ else
+ strcpy(hostgroup_name,variables[x]);
++ strip_html_brackets(hostgroup_name);
+
+ if(!strcmp(hostgroup_name,"all"))
+ show_all_hostgroups=TRUE;
+@@ -260,6 +261,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+ }
+
+ /* we found the service argument */
+@@ -276,6 +278,7 @@
+ service_desc="";
+ else
+ strcpy(service_desc,variables[x]);
++ strip_html_brackets(service_desc);
+ }
+
+
+@@ -317,6 +320,7 @@
+ ping_address="";
+ else
+ strcpy(ping_address,variables[x]);
++ strip_html_brackets(ping_address);
+ }
+
+ /* we found the traceroute argument */
+@@ -333,6 +337,7 @@
+ traceroute_address="";
+ else
+ strcpy(traceroute_address,variables[x]);
++ strip_html_brackets(traceroute_address);
+ }
+
+ }
+--- statusmap.c.orig 2007-10-29 15:21:44.000000000 +0000
++++ nagios2-2.9/cgi/statusmap.c 2007-10-29 15:22:27.000000000 +0000
+@@ -412,6 +412,7 @@
+ host_name="all";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+
+ if(!strcmp(host_name,"all"))
+ show_all_hosts=TRUE;
+@@ -569,7 +570,8 @@
+ error=TRUE;
+ break;
+ }
+-
++
++ strip_html_brackets(variables[x]);
+ add_layer(variables[x]);
+ }
+ }
+--- history.c.orig 2007-10-29 15:23:21.000000000 +0000
++++ nagios2-2.9/cgi/history.c 2007-10-29 15:24:11.000000000 +0000
+@@ -379,6 +379,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+
+ display_type=DISPLAY_HOSTS;
+
+@@ -401,6 +402,7 @@
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+
+ display_type=DISPLAY_SERVICES;
+ }
+--- cmd.c.orig 2007-10-29 15:24:40.000000000 +0000
++++ nagios2-2.9/cgi/cmd.c 2007-10-29 15:26:51.000000000 +0000
+@@ -380,6 +380,7 @@
+ comment_author="";
+ else
+ strcpy(comment_author,variables[x]);
++ strip_html_brackets(comment_author);
+ }
+
+ /* we found the comment data */
+@@ -395,6 +396,7 @@
+ comment_data="";
+ else
+ strcpy(comment_data,variables[x]);
++ strip_html_brackets(comment_data);
+ }
+
+ /* we found the host name */
+@@ -410,6 +412,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+ }
+
+ /* we found the hostgroup name */
+@@ -425,6 +428,7 @@
+ hostgroup_name="";
+ else
+ strcpy(hostgroup_name,variables[x]);
++ strip_html_brackets(hostgroup_name);
+ }
+
+ /* we found the service name */
+@@ -440,6 +444,7 @@
+ service_desc="";
+ else
+ strcpy(service_desc,variables[x]);
++ strip_html_brackets(service_desc);
+ }
+
+ /* we found the servicegroup name */
+@@ -455,6 +460,7 @@
+ servicegroup_name="";
+ else
+ strcpy(servicegroup_name,variables[x]);
++ strip_html_brackets(servicegroup_name);
+ }
+
+ /* we got the persistence option for a comment */
+--- status.c.orig 2007-10-29 15:27:16.000000000 +0000
++++ nagios2-2.9/cgi/status.c 2007-10-29 15:28:42.000000000 +0000
+@@ -572,6 +572,7 @@
+ }
+
+ hostgroup_name=strdup(variables[x]);
++ strip_html_brackets(hostgroup_name);
+
+ if(hostgroup_name!=NULL && !strcmp(hostgroup_name,"all"))
+ show_all_hostgroups=TRUE;
+@@ -589,6 +590,7 @@
+ }
+
+ servicegroup_name=strdup(variables[x]);
++ strip_html_brackets(servicegroup_name);
+
+ if(servicegroup_name!=NULL && !strcmp(servicegroup_name,"all"))
+ show_all_servicegroups=TRUE;
+@@ -606,6 +608,7 @@
+ }
+
+ host_name=strdup(variables[x]);
++ strip_html_brackets(host_name);
+
+ if(host_name!=NULL && !strcmp(host_name,"all"))
+ show_all_hosts=TRUE;
+@@ -730,6 +733,7 @@
+ break;
+ }
+ service_filter=strdup(variables[x]);
++ strip_html_brackets(service_filter);
+ }
+ }
+
diff -u nagios2-2.9/debian/patches/00list nagios2-2.9/debian/patches/00list
--- nagios2-2.9/debian/patches/00list
+++ nagios2-2.9/debian/patches/00list
@@ -2,0 +3 @@
+30_CVE-2007-5624.dpatch
diff -u nagios2-2.9/debian/changelog nagios2-2.9/debian/changelog
--- nagios2-2.9/debian/changelog
+++ nagios2-2.9/debian/changelog
@@ -1,3 +1,11 @@
+nagios2 (2.9-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the testing-security team
+ * Fix potential cross-site scripting in the CGIs (Closes: #448371)
+ Fixes: CVE-2007-5624
+
+ -- Steffen Joeris <[EMAIL PROTECTED]> Mon, 29 Oct 2007 15:30:47 +0000
+
nagios2 (2.9-1) unstable; urgency=low
* New upstream release (closes: #414647).
only in patch2:
unchanged:
--- nagios2-2.9.orig/debian/patches/30_CVE-2007-5624.dpatch
+++ nagios2-2.9/debian/patches/30_CVE-2007-5624.dpatch
@@ -0,0 +1,357 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 30_CVE-2007-5624.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+--- avail.c.orig 2007-10-29 08:07:10.000000000 +0000
++++ nagios2-2.9/cgi/avail.c 2007-10-29 08:06:48.000000000 +0000
+@@ -1157,6 +1157,7 @@
+ hostgroup_name="";
+ else
+ strcpy(hostgroup_name,variables[x]);
++ strip_html_brackets(hostgroup_name);
+ display_type=DISPLAY_HOSTGROUP_AVAIL;
+ show_all_hostgroups=(strcmp(hostgroup_name,"all"))?FALSE:TRUE;
+ }
+@@ -1174,6 +1175,7 @@
+ servicegroup_name="";
+ else
+ strcpy(servicegroup_name,variables[x]);
++ strip_html_brackets(servicegroup_name);
+ display_type=DISPLAY_SERVICEGROUP_AVAIL;
+ show_all_servicegroups=(strcmp(servicegroup_name,"all"))?FALSE:TRUE;
+ }
+@@ -1191,6 +1193,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+ display_type=DISPLAY_HOST_AVAIL;
+ show_all_hosts=(strcmp(host_name,"all"))?FALSE:TRUE;
+ }
+@@ -1208,6 +1211,7 @@
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+ display_type=DISPLAY_SERVICE_AVAIL;
+ show_all_services=(strcmp(svc_description,"all"))?FALSE:TRUE;
+ }
+--- cgiutils.c.orig 2007-10-29 15:05:31.000000000 +0000
++++ nagios2-2.9/cgi/cgiutils.c 2007-10-29 15:08:34.000000000 +0000
+@@ -1422,7 +1422,27 @@
+ return input;
+ }
+
++/* strip > and < from string */
++void strip_html_brackets(char *buffer){
++ register int x;
++ register int y;
++ register int z;
+
++ if(buffer==NULL || buffer[0]=='\x0')
++ return;
++
++ /* remove all occurances in string */
++ z=(int)strlen(buffer);
++ for(x=0,y=0;x<z;x++){
++ if(buffer[x]=='<' || buffer[x]=='>')
++ continue;
++ buffer[y++]=buffer[x];
++ }
++
++ buffer[y++]='\x0';
++
++ return;
++ }
+
+ /* determines the log file we should use (from current time) */
+ void get_log_archive_to_use(int archive,char *buffer,int buffer_length){
+--- histogram.c.orig 2007-10-29 15:09:12.000000000 +0000
++++ nagios2-2.9/cgi/histogram.c 2007-10-29 15:10:19.000000000 +0000
+@@ -1086,6 +1086,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+
+ display_type=DISPLAY_HOST_HISTOGRAM;
+ }
+@@ -1103,6 +1104,7 @@
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+
+ display_type=DISPLAY_SERVICE_HISTOGRAM;
+ }
+--- notifications.c.orig 2007-10-29 15:10:43.000000000 +0000
++++ nagios2-2.9/cgi/notifications.c 2007-10-29 15:12:23.000000000 +0000
+@@ -371,6 +371,7 @@
+ query_host_name=strdup(variables[x]);
+ if(query_host_name==NULL)
+ query_host_name="";
++ strip_html_brackets(query_host_name);
+ if(!strcmp(query_host_name,"all"))
+ find_all=TRUE;
+ else
+@@ -390,6 +391,7 @@
+
+ if(query_contact_name==NULL)
+ query_contact_name="";
++ strip_html_brackets(query_contact_name);
+ if(!strcmp(query_contact_name,"all"))
+ find_all=TRUE;
+ else
+@@ -408,6 +410,7 @@
+ query_svc_description=strdup(variables[x]);
+ if(query_svc_description==NULL)
+ query_svc_description="";
++ strip_html_brackets(query_svc_description);
+ }
+
+ /* we found the notification type argument */
+--- summary.c.orig 2007-10-29 15:13:55.000000000 +0000
++++ nagios2-2.9/cgi/summary.c 2007-10-29 15:15:18.000000000 +0000
+@@ -1135,6 +1135,7 @@
+ target_hostgroup_name="";
+ else
+ strcpy(target_hostgroup_name,variables[x]);
++ strip_html_brackets(target_hostgroup_name);
+
+ if(!strcmp(target_hostgroup_name,"all"))
+ show_all_hostgroups=TRUE;
+@@ -1157,6 +1158,7 @@
+ target_servicegroup_name="";
+ else
+ strcpy(target_servicegroup_name,variables[x]);
++ strip_html_brackets(target_servicegroup_name);
+
+ if(!strcmp(target_servicegroup_name,"all"))
+ show_all_servicegroups=TRUE;
+@@ -1179,6 +1181,7 @@
+ target_host_name="";
+ else
+ strcpy(target_host_name,variables[x]);
++ strip_html_brackets(target_host_name);
+
+ if(!strcmp(target_host_name,"all"))
+ show_all_hosts=TRUE;
+--- trends.c.orig 2007-10-29 15:15:39.000000000 +0000
++++ nagios2-2.9/cgi/trends.c 2007-10-29 15:16:36.000000000 +0000
+@@ -1207,6 +1207,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+
+ display_type=DISPLAY_HOST_TRENDS;
+ }
+@@ -1224,6 +1225,7 @@
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+
+ display_type=DISPLAY_SERVICE_TRENDS;
+ }
+--- extinfo.c.orig 2007-10-29 15:16:58.000000000 +0000
++++ nagios2-2.9/cgi/extinfo.c 2007-10-29 15:19:22.000000000 +0000
+@@ -604,6 +604,7 @@
+ host_name=strdup(variables[x]);
+ if(host_name==NULL)
+ host_name="";
++ strip_html_brackets(host_name);
+ }
+
+ /* we found the hostgroup name */
+@@ -617,6 +618,7 @@
+ hostgroup_name=strdup(variables[x]);
+ if(hostgroup_name==NULL)
+ hostgroup_name="";
++ strip_html_brackets(hostgroup_name);
+ }
+
+ /* we found the service name */
+@@ -630,6 +632,7 @@
+ service_desc=strdup(variables[x]);
+ if(service_desc==NULL)
+ service_desc="";
++ strip_html_brackets(service_desc);
+ }
+
+ /* we found the servicegroup name */
+@@ -643,6 +646,7 @@
+ servicegroup_name=strdup(variables[x]);
+ if(servicegroup_name==NULL)
+ servicegroup_name="";
++ strip_html_brackets(servicegroup_name);
+ }
+
+ /* we found the sort type argument */
+--- statuswml.c.orig 2007-10-29 15:19:41.000000000 +0000
++++ nagios2-2.9/cgi/statuswml.c 2007-10-29 15:21:15.000000000 +0000
+@@ -239,6 +239,7 @@
+ hostgroup_name="";
+ else
+ strcpy(hostgroup_name,variables[x]);
++ strip_html_brackets(hostgroup_name);
+
+ if(!strcmp(hostgroup_name,"all"))
+ show_all_hostgroups=TRUE;
+@@ -260,6 +261,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+ }
+
+ /* we found the service argument */
+@@ -276,6 +278,7 @@
+ service_desc="";
+ else
+ strcpy(service_desc,variables[x]);
++ strip_html_brackets(service_desc);
+ }
+
+
+@@ -317,6 +320,7 @@
+ ping_address="";
+ else
+ strcpy(ping_address,variables[x]);
++ strip_html_brackets(ping_address);
+ }
+
+ /* we found the traceroute argument */
+@@ -333,6 +337,7 @@
+ traceroute_address="";
+ else
+ strcpy(traceroute_address,variables[x]);
++ strip_html_brackets(traceroute_address);
+ }
+
+ }
+--- statusmap.c.orig 2007-10-29 15:21:44.000000000 +0000
++++ nagios2-2.9/cgi/statusmap.c 2007-10-29 15:22:27.000000000 +0000
+@@ -412,6 +412,7 @@
+ host_name="all";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+
+ if(!strcmp(host_name,"all"))
+ show_all_hosts=TRUE;
+@@ -569,7 +570,8 @@
+ error=TRUE;
+ break;
+ }
+-
++
++ strip_html_brackets(variables[x]);
+ add_layer(variables[x]);
+ }
+ }
+--- history.c.orig 2007-10-29 15:23:21.000000000 +0000
++++ nagios2-2.9/cgi/history.c 2007-10-29 15:24:11.000000000 +0000
+@@ -379,6 +379,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+
+ display_type=DISPLAY_HOSTS;
+
+@@ -401,6 +402,7 @@
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+
+ display_type=DISPLAY_SERVICES;
+ }
+--- cmd.c.orig 2007-10-29 15:24:40.000000000 +0000
++++ nagios2-2.9/cgi/cmd.c 2007-10-29 15:26:51.000000000 +0000
+@@ -380,6 +380,7 @@
+ comment_author="";
+ else
+ strcpy(comment_author,variables[x]);
++ strip_html_brackets(comment_author);
+ }
+
+ /* we found the comment data */
+@@ -395,6 +396,7 @@
+ comment_data="";
+ else
+ strcpy(comment_data,variables[x]);
++ strip_html_brackets(comment_data);
+ }
+
+ /* we found the host name */
+@@ -410,6 +412,7 @@
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+ }
+
+ /* we found the hostgroup name */
+@@ -425,6 +428,7 @@
+ hostgroup_name="";
+ else
+ strcpy(hostgroup_name,variables[x]);
++ strip_html_brackets(hostgroup_name);
+ }
+
+ /* we found the service name */
+@@ -440,6 +444,7 @@
+ service_desc="";
+ else
+ strcpy(service_desc,variables[x]);
++ strip_html_brackets(service_desc);
+ }
+
+ /* we found the servicegroup name */
+@@ -455,6 +460,7 @@
+ servicegroup_name="";
+ else
+ strcpy(servicegroup_name,variables[x]);
++ strip_html_brackets(servicegroup_name);
+ }
+
+ /* we got the persistence option for a comment */
+--- status.c.orig 2007-10-29 15:27:16.000000000 +0000
++++ nagios2-2.9/cgi/status.c 2007-10-29 15:28:42.000000000 +0000
+@@ -572,6 +572,7 @@
+ }
+
+ hostgroup_name=strdup(variables[x]);
++ strip_html_brackets(hostgroup_name);
+
+ if(hostgroup_name!=NULL && !strcmp(hostgroup_name,"all"))
+ show_all_hostgroups=TRUE;
+@@ -589,6 +590,7 @@
+ }
+
+ servicegroup_name=strdup(variables[x]);
++ strip_html_brackets(servicegroup_name);
+
+ if(servicegroup_name!=NULL && !strcmp(servicegroup_name,"all"))
+ show_all_servicegroups=TRUE;
+@@ -606,6 +608,7 @@
+ }
+
+ host_name=strdup(variables[x]);
++ strip_html_brackets(host_name);
+
+ if(host_name!=NULL && !strcmp(host_name,"all"))
+ show_all_hosts=TRUE;
+@@ -730,6 +733,7 @@
+ break;
+ }
+ service_filter=strdup(variables[x]);
++ strip_html_brackets(service_filter);
+ }
+ }
+
signature.asc
Description: This is a digitally signed message part.
