Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-1575

Sanitizing UserParameter parameter is too aggressive and undocumented

    XMLWordPrintable

Details

    • Incident report
    • Resolution: Fixed
    • Blocker
    • 1.8.2, 1.9.0 (alpha)
    • 1.8
    • Agent (G)
    • None

    Description

      The sanitizing of parameters to UserParameters as implemented in ZBX-790 is (purposely) aggressive, but without any means of escaping or quoting the special characters, most of my UserParameters are broken. For example, I make extensive use of regular expressions in my UserParameters. Based on the list of suppressed characters ('\'"`*?[-]{}~$!&;()<>|#@'), they all broke.

      So, there are two problems with this: 1. There is no way to escape these special characters so that they can still be used. 2. It wasn't well documented. (A significant change like this deserves more than just a simple mention of the ticket in the release notes.)

      For the time being, I have removed the check from my agents' code, but can we investigate a less strong-armed way of addressing this potential attack vector?

      Attachments

        Activity

          People

            Unassigned Unassigned
            jhriggs Jim Riggs
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: