Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-2534

Add characters to UnsafeUserParameters with possibility of escaping others

XMLWordPrintable

    • Icon: New Feature Request New Feature Request
    • Resolution: Won't fix
    • Icon: Minor Minor
    • None
    • None
    • Agent (G)

      Purely a security request, I think there's still a couple unsafe characters and COMBINATIONS of characters allowed to be passed to agents, or at least some that should be escaped.

      Also I feel to be truly a safe parameter, the ONLY characters allowed to be passed should be: [a-zA-Z0-9]

      I understand the need for . / etc.. But without filtering dangerous combinations, we open up security holes.

      Some examples of these in the current allowed set would be:
      =
      %
      ..
      ./
      ../

      *NOTE, confused why / is allowed, but \ is unsafe. Wouldn't this be Windows, Linux, or web check (curl, etc.), dependent.

      Here's some example escaping code for Rexx / Perl: https://www.slac.stanford.edu/slac/www/resource/how-to-use/cgi-rexx/cgi-esc.html

            Unassigned Unassigned
            tagwolf tagwolf
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: