Posting a modified version of my last mail to Axel Beckert... with some
updates:
On Thuesday, 23. May 2013, 22:32:33 Axel Beckert wrote:
[...]
> I rather expected that it was fixed in another way, but I haven't
> found any evidence.
Indeed they did:
| web/history.c: fprintf(htmlrep, "<BR><FONT %s><B>%s",
| xgetenv("XYMONPAGEROWFONT"), htmlquoted(displayname));
| web/history.c: fprintf(htmlrep, " - %s</B></FONT><BR>\n",
| htmlquoted(service));
| web/history.c: sprintf(p, "&IP=%s", htmlquoted(ip))
They seperated all calls to htmlquoted, and called the function each time a
variable from the HTTP-Request is inserted into the HTML-Code. The code using
the htmlqouted-Function looks quite different from the code I read in January.
The old code did this when the code was passed to the output funtion. And it
did many calls before copying the strings out of the buffer.
Things like this:
| sethostenv(htmlquoted(displayname), htmlquoted(ip), htmlquoted(service),
| colorname(color), htmlquoted(hostname));
And this example results in the hostname beeing inserted as color, service, ip
and displayname also.
I had a look to xymon-4.3.11, and found 94 different calls to "htmlquoted".
The old code of 4.3.0~beta2.dfsg-5ubuntu0.1 and 4.3.0~beta2.dfsg-9.1ubuntu0.1
contains only a few, about 8 ... 10 calls when I remember this correct.
This changes of course would also fix the bug. And it fixes it in a more clean
way. But is much more modification to the Code than Ulric's fix in the
htmlqouted function itself.
I think the new fix would be much better to debug for future releases of
xymon. But I'm not sure it is a good idea to port it back to a stable release
or even to a LTS release, since many scattered lines of change are IMHO many
possibilities for mistakes.
>
> I can apply that patch for the upcoming 4.3.11-1 experimental package
> if wanted.
I don't think it makes sense to integrate it there under this circumstances.
I'm more interessted to get a patch for this issue into the packages for
precise and lucid. At least into future patched versions.
The version 4-3-7 already contains the new bugfix code. I didn't have a
look at the packages for quantal yet.
> I though never ran into that issue (running
> 4.3.0~beta2.dfsg-6+squeeze1 on Squeeze and a 4.3.10 packaging snapshot
> on Squeeze and Wheezy) and hence can't check if it works. (I also ran
> 4.3.7-1 for a while on Squeeze and didn't notice it there, but also
> didn't use history a lot there.)
The error is absolutely reproduceable. My very first quickfix was some
javascript-Code in the page footer. But this didn't fix the headlines on the
details and history pages. It only made the history button working again,
by filling the forms again with corrected values.
This was on Thu, 17 Jan 2013, one day after the bug has also reached
lucid.
>
> > The Bug came in with the 2011-1716 Patch.
>
> I guess you mean CVE-2011-1716.
Yes, I cut the leading 7 since it has a different number in this place for
lucid/precis and also cut the CVE by mistake.
> I didn't understand that sentence. Did you mean "And all should be
> affected by this bug"?
Yes. This was english with a bit of german grammar, sorry for this. And they
also aren't as clarified above.
>
> This patch though has, as the one before, unnecessary whitespace
> changes in it, which makes it hard to see the real functional changes.
> I had to check every single line manually to actually see the
> functional changes. Could you please post a patch without changing the
> indentation of unchanged lines? TIA!
Ok, let's try with fewer, Whitespace-Garbage. But I'didn't get rid the Version
dependency. Looks like this is caused by different whitespaces in
7-CVE2011-1716 and 9-CVE2011-1716. In lines the diff uses to find the right
code. ;-) :-(
| $ diff lucid/lk2013-05-24_historybutton_lucid.patch
precise/lk2013-05-24_historybutton_precise.patch
| 2,7c2,7
| < --- xymon-4.3.0-beta2.orig/lib/strfunc.c 2013-05-24 09:24:35.000000000
+0200
| < +++ xymon-4.3.0-beta2.patched/lib/strfunc.c 2013-05-24 08:58:34.000000000
+0200
| < @@ -183,29 +183,36 @@ char *htmlquoted(char *s)
| < * This routine converts a plain string into an html-quoted string
| < */
| <
| ---
| > --- xymon-4.3.0-beta2.orig/lib/strfunc.c 2013-05-24 09:27:43.000000000
+0200
| > +++ xymon-4.3.0-beta2.patched/lib/strfunc.c 2013-05-24 09:29:00.000000000
+0200
| > @@ -182,29 +182,37 @@ char *htmlquoted(char *s)
| > /*
| > * This routine converts a plain string into an html-quoted string
| > */
| 8a9
| > +
| 25c26
| < inp= s;
| ---
| > inp = s;
Kind regards,
Lars
** Patch added: "lk2013-05-24_historybutton_precise.patch"
https://bugs.launchpad.net/ubuntu/+source/xymon/+bug/1103428/+attachment/3685569/+files/lk2013-05-24_historybutton_precise.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1103428
Title:
Xymon history page does not work
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xymon/+bug/1103428/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
