Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-1575

Sanitizing UserParameter parameter is too aggressive and undocumented

    XMLWordPrintable

    Details

    • Type: Incident report
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.8
    • Fix Version/s: 1.8.2, 1.9.0 (alpha)
    • Component/s: Agent (G)
    • Labels:
      None

      Description

      The sanitizing of parameters to UserParameters as implemented in ZBX-790 is (purposely) aggressive, but without any means of escaping or quoting the special characters, most of my UserParameters are broken. For example, I make extensive use of regular expressions in my UserParameters. Based on the list of suppressed characters ('\'"`*?[-]{}~$!&;()<>|#@'), they all broke.

      So, there are two problems with this: 1. There is no way to escape these special characters so that they can still be used. 2. It wasn't well documented. (A significant change like this deserves more than just a simple mention of the ticket in the release notes.)

      For the time being, I have removed the check from my agents' code, but can we investigate a less strong-armed way of addressing this potential attack vector?

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            jhriggs Jim Riggs
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: