Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-2534

Add characters to UnsafeUserParameters with possibility of escaping others

    XMLWordPrintable

    Details

    • Type: New Feature Request
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Agent (G)

      Description

      Purely a security request, I think there's still a couple unsafe characters and COMBINATIONS of characters allowed to be passed to agents, or at least some that should be escaped.

      Also I feel to be truly a safe parameter, the ONLY characters allowed to be passed should be: [a-zA-Z0-9]

      I understand the need for . / etc.. But without filtering dangerous combinations, we open up security holes.

      Some examples of these in the current allowed set would be:
      =
      %
      ..
      ./
      ../

      *NOTE, confused why / is allowed, but \ is unsafe. Wouldn't this be Windows, Linux, or web check (curl, etc.), dependent.

      Here's some example escaping code for Rexx / Perl: https://www.slac.stanford.edu/slac/www/resource/how-to-use/cgi-rexx/cgi-esc.html

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            tagwolf David Cahill
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: