[ZBX-15963] HTTP agent supports non-HTTP scheme in URL field Created: 2019 Apr 09 Updated: 2019 Oct 17 Resolved: 2019 Jul 04 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Proxy (P), Server (S) |
Affects Version/s: | 4.2.0, 4.4.0alpha1, 4.4 (plan) |
Fix Version/s: | 4.0.10rc1, 4.2.4rc1, 4.4.0alpha1, 4.4 (plan) |
Type: | Problem report | Priority: | Minor |
Reporter: | Vjaceslavs Bogdanovs | Assignee: | Aleksejs Sestakovs |
Resolution: | Fixed | Votes: | 0 |
Labels: | http, httpagent, protocols, scheme | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Team: | Team C |
Sprint: | Sprint 51 (Apr 2019), Sprint 52 (May 2019), Sprint 53 (Jun 2019), Sprint 54 (Jul 2019) |
Story Points: | 0.25 |
Description |
HTTP agent allows using non-HTTP scheme (make non HTTP(s) requests). For example, URL "ftp://your-server.here/" will work just fine and will return directory listing. Currently there is no validation of scheme and this makes term HTTP agent invalid as it allows to make requests to: HTTP, FTP, POP3, IMAP, SMB, etc (https://curl.haxx.se/libcurl/c/CURLOPT_URL.html). From the perspective of UI there are many fields that are not valid for FTP, POP3 and other protocols so for the sake of consistancy, scheme check should be introduced and only HTTP(s) scheme should be allowed in HTTP checks. |
Comments |
Comment by Aleksejs Sestakovs [ 2019 May 29 ] |
Available in:
|
Comment by Glebs Ivanovskis [ 2019 Jun 26 ] |
Regarding aaa9bfff87a:
|
Comment by Alexander Vladishev [ 2019 Jun 26 ] |
cyclone, at the same time you get a lot of bugs fixed in new versions of libcurl. This fix was added because RedHat 5.0 has libcurl 7.19.4 packages. |
Comment by Glebs Ivanovskis [ 2019 Jun 26 ] |
I understand the motivation behind these changes (official Zabbix packages for RHEL 5 are compiled with old libcurl available in RedHat repository, but you still want Zabbix to support libcurl-dependent features like HTTP agent, web scenarios, etc.), my point is that they effectively undo (at least partially) the work done in the scope of this ticket. User may have latest version of libcurl even on the old RHEL, see My opinion is that libcurl version should be checked in runtime as requested in ZBXNEXT-3623. |
Comment by dimir [ 2019 Jun 27 ] |
ZBXNEXT-3623 could help solving this issue. Edit: ah, missed comment aboveĀ from cyclone. |
Comment by Aleksandrs Saveljevs [ 2019 Oct 17 ] |
We used the ftp://{$USERNAME}:{$PASSWORD}@ftp.example.com/ URLs in HTTP agent items to verify that a user can log in to an FTP server. Yesterday, we upgraded from Zabbix 4.0.9 to Zabbix 4.0.13 and these checks stopped working due to the following error: Cannot perform request: Protocol ftp not supported or disabled in libcurl Any possibility of this change being reconsidered? |
Comment by Vjaceslavs Bogdanovs [ 2019 Oct 17 ] |
asaveljevs, at this point you were exploiting the undocumented behavior of "HTTP agent" functionality. |