[ZBX-4529] Some shell metachars not escaped when call alert script Created: 2012 Jan 09 Updated: 2017 May 30 Resolved: 2015 May 19 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Server (S) |
Affects Version/s: | 1.8.10 |
Fix Version/s: | 2.0.15rc1, 2.2.10rc1, 2.4.6rc1, 2.5.0 |
Type: | Incident report | Priority: | Major |
Reporter: | Pavel | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 5 |
Labels: | actions, escaping | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Attachments: | zabbix-1.8-r50496-execute_script_media_by_execvp.patch zabbix-2.0-r50496-execute_script_media_by_execvp.patch zabbix-2.2-r50496-execute_script_media_by_execvp.patch zabbix-2.4-r50496-execute_script_media_by_execvp.patch | ||||
Issue Links: |
|
Description |
When alerter call external script, it can pass some information including last item value as commandline arguments. Solution I propose is to call external scripts by exec() function and not via "/bin/sh -c". |
Comments |
Comment by Pavel [ 2013 Sep 09 ] |
Escape all metacharacters in script arguments seems not so ugly for me now. |
Comment by Takanori Suzuki [ 2014 Nov 07 ] |
Action subject and message can include "{ITEM.VALUE[1-9]}" and it's difficult for admin to escape the content of the macro. So, I made patches executing script media by execvp() instead of current implementation. |
Comment by Andris Zeila [ 2015 May 11 ] |
The simplest solution would be to use strong quoting for script arguments (escaping ' with '\''). |
Comment by Andris Zeila [ 2015 May 11 ] |
Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-4529 |
Comment by Alexander Vladishev [ 2015 May 19 ] |
Successfully tested! Take a look at my changes in r53653. wiper reviewed, thanks |
Comment by Andris Zeila [ 2015 May 19 ] |
Released in:
|