Fix several cross site scripting vulnerabilities in Nagios 2.5

Take over maintainership as suggested by jlam Approved-by: jlam
author: tonnerre <tonnerre@pkgsrc.org> 2008-03-18 21:53:41 +0000
committer: tonnerre <tonnerre@pkgsrc.org> 2008-03-18 21:53:41 +0000
commit: 4331013f541160fb08f3cbdf9eaf27d3dfd75165 (patch)
tree: b3b99218c23c8ed3b2925a8fc1413b812447ce06 /net
parent: ebdd30c58e7a1ab995da869a4351f38cc584e2ef (diff)
download: pkgsrc-4331013f541160fb08f3cbdf9eaf27d3dfd75165.tar.gz
16 files changed, 485 insertions, 4 deletions
diff --git a/net/nagios-base/Makefile b/net/nagios-base/Makefile
index 67d986c79de..023a89dad5c 100644
--- a/net/nagios-base/Makefile
+++ b/net/nagios-base/Makefile
@@ -1,13 +1,13 @@
-# $NetBSD: Makefile,v 1.16 2007/11/26 22:14:13 seb Exp $
+# $NetBSD: Makefile,v 1.17 2008/03/18 21:53:41 tonnerre Exp $
 #
 
 DISTNAME=		nagios-2.5
 PKGNAME=		${DISTNAME:S/-/-base-/}
-PKGREVISION=		4
+PKGREVISION=		5
 CATEGORIES=		net sysutils
 MASTER_SITES=		${MASTER_SITE_SOURCEFORGE:=nagios/}
 
-MAINTAINER=		pkgsrc-users@NetBSD.org
+MAINTAINER=		tonnerre@NetBSD.org
 HOMEPAGE=		http://www.nagios.org/
 COMMENT=		Network monitor
 
diff --git a/net/nagios-base/distinfo b/net/nagios-base/distinfo
index 026b21df46f..0fd5d54a05d 100644
--- a/net/nagios-base/distinfo
+++ b/net/nagios-base/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2007/11/26 22:14:14 seb Exp $
+$NetBSD: distinfo,v 1.7 2008/03/18 21:53:41 tonnerre Exp $
 
 SHA1 (nagios-2.5.tar.gz) = 00e6bc45c5634649b6a1be2758ec181197d38f76
 RMD160 (nagios-2.5.tar.gz) = a0f1890ed546ce026cf784ae3ca83119275bd529
@@ -9,4 +9,18 @@ SHA1 (patch-ac) = b72c80203f7c1c88f851a13c9031bc5a4febf512
 SHA1 (patch-ad) = 2d7c6620ed08a64c8df2d26083fa327899305004
 SHA1 (patch-ae) = 088bddbbd8d6a9f6b7aff89f238d510959a7220b
 SHA1 (patch-af) = a1b2c3a51b0ed72ff0f507bacc44a0d0c5924d60
+SHA1 (patch-ag) = 81c7bd5b4bbec8a5135b96d9b2d47a11f7e21953
 SHA1 (patch-ah) = 88122296f9d74648c3dadbd7f6e12e7ef1f32081
+SHA1 (patch-ai) = 01af7bb4fd0bf3e341535e072384630f859b1338
+SHA1 (patch-aj) = 4655da482dced332a870feaeddc729c0c7efd841
+SHA1 (patch-ak) = ecdfe1bc8b219324780d0d86ce7c5dcc7c51c241
+SHA1 (patch-al) = 59763ce59854012ca94e5adb4d53ac5c46532309
+SHA1 (patch-am) = f839f730c11907a36df1ed0e01290caa667be655
+SHA1 (patch-an) = d1110a33f26ff3807982385d8e706436214dac3f
+SHA1 (patch-ao) = ed9bff0519efeb531a4fa40170ce69dc8082139e
+SHA1 (patch-ap) = a82898a22eb0e0938bffd0a2490a8fe306f07e65
+SHA1 (patch-aq) = 7403d4192c59e522e94f221d06a1ecec5aba9118
+SHA1 (patch-ar) = a496fbee60e35a5287bd646573ecdb007033f6cf
+SHA1 (patch-as) = cd9c5454f4b6a9f8ccf496398b3413b85a7e0d99
+SHA1 (patch-at) = 9862506f7b8e87525d7c0616703154c006e6dd27
+SHA1 (patch-au) = bde2db89a81d3e41fd90556e6f0d20d3ce1d3bbc
diff --git a/net/nagios-base/patches/patch-ag b/net/nagios-base/patches/patch-ag
new file mode 100644
index 00000000000..1baeeceab28
--- /dev/null
+++ b/net/nagios-base/patches/patch-ag
@@ -0,0 +1,36 @@
+$NetBSD: patch-ag,v 1.3 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/avail.c.orig	2006-04-06 00:33:32.000000000 +0200
++++ cgi/avail.c
+@@ -1157,6 +1157,7 @@ int process_cgivars(void){
+ 				hostgroup_name="";
+ 			else
+ 				strcpy(hostgroup_name,variables[x]);
++			strip_html_brackets(hostgroup_name);
+ 			display_type=DISPLAY_HOSTGROUP_AVAIL;
+ 			show_all_hostgroups=(strcmp(hostgroup_name,"all"))?FALSE:TRUE;
+ 		        }
+@@ -1174,6 +1175,7 @@ int process_cgivars(void){
+ 				servicegroup_name="";
+ 			else
+ 				strcpy(servicegroup_name,variables[x]);
++			strip_html_brackets(servicegroup_name);
+ 			display_type=DISPLAY_SERVICEGROUP_AVAIL;
+ 			show_all_servicegroups=(strcmp(servicegroup_name,"all"))?FALSE:TRUE;
+ 		        }
+@@ -1191,6 +1193,7 @@ int process_cgivars(void){
+ 				host_name="";
+ 			else
+ 				strcpy(host_name,variables[x]);
++			strip_html_brackets(host_name);
+ 			display_type=DISPLAY_HOST_AVAIL;
+ 			show_all_hosts=(strcmp(host_name,"all"))?FALSE:TRUE;
+ 		        }
+@@ -1208,6 +1211,7 @@ int process_cgivars(void){
+ 				svc_description="";
+ 			else
+ 				strcpy(svc_description,variables[x]);
++			strip_html_brackets(svc_description);
+ 			display_type=DISPLAY_SERVICE_AVAIL;
+ 			show_all_services=(strcmp(svc_description,"all"))?FALSE:TRUE;
+ 		        }
diff --git a/net/nagios-base/patches/patch-ai b/net/nagios-base/patches/patch-ai
new file mode 100644
index 00000000000..a203e9b85a1
--- /dev/null
+++ b/net/nagios-base/patches/patch-ai
@@ -0,0 +1,52 @@
+$NetBSD: patch-ai,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/cmd.c.orig	2006-05-19 16:25:03.000000000 +0200
++++ cgi/cmd.c
+@@ -380,6 +380,7 @@ int process_cgivars(void){
+ 				comment_author="";
+ 			else
+ 				strcpy(comment_author,variables[x]);
++			strip_html_brackets(comment_author);
+ 			}
+ 
+ 		/* we found the comment data */
+@@ -395,6 +396,7 @@ int process_cgivars(void){
+ 				comment_data="";
+ 			else
+ 				strcpy(comment_data,variables[x]);
++			strip_html_brackets(comment_data);
+ 			}
+ 
+ 		/* we found the host name */
+@@ -410,6 +412,7 @@ int process_cgivars(void){
+ 				host_name="";
+ 			else
+ 				strcpy(host_name,variables[x]);
++			strip_html_brackets(host_name);
+ 			}
+ 
+ 		/* we found the hostgroup name */
+@@ -425,6 +428,7 @@ int process_cgivars(void){
+ 				hostgroup_name="";
+ 			else
+ 				strcpy(hostgroup_name,variables[x]);
++			strip_html_brackets(hostgroup_name);
+ 			}
+ 
+ 		/* we found the service name */
+@@ -440,6 +444,7 @@ int process_cgivars(void){
+ 				service_desc="";
+ 			else
+ 				strcpy(service_desc,variables[x]);
++			strip_html_brackets(service_desc);
+ 			}
+ 
+ 		/* we found the servicegroup name */
+@@ -455,6 +460,7 @@ int process_cgivars(void){
+ 				servicegroup_name="";
+ 			else
+ 				strcpy(servicegroup_name,variables[x]);
++			strip_html_brackets(servicegroup_name);
+ 			}
+ 
+ 		/* we got the persistence option for a comment */
diff --git a/net/nagios-base/patches/patch-aj b/net/nagios-base/patches/patch-aj
new file mode 100644
index 00000000000..aca84ca4e06
--- /dev/null
+++ b/net/nagios-base/patches/patch-aj
@@ -0,0 +1,60 @@
+$NetBSD: patch-aj,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/extinfo.c.orig	2006-03-21 22:31:46.000000000 +0100
++++ cgi/extinfo.c
+@@ -598,6 +598,7 @@ int process_cgivars(void){
+ 			host_name=strdup(variables[x]);
+ 			if(host_name==NULL)
+ 				host_name="";
++			strip_html_brackets(host_name);
+ 			}
+ 
+ 		/* we found the hostgroup name */
+@@ -611,6 +612,7 @@ int process_cgivars(void){
+ 			hostgroup_name=strdup(variables[x]);
+ 			if(hostgroup_name==NULL)
+ 				hostgroup_name="";
++			strip_html_brackets(hostgroup_name);
+ 			}
+ 
+ 		/* we found the service name */
+@@ -624,6 +626,7 @@ int process_cgivars(void){
+ 			service_desc=strdup(variables[x]);
+ 			if(service_desc==NULL)
+ 				service_desc="";
++			strip_html_brackets(service_desc);
+ 			}
+ 
+ 		/* we found the servicegroup name */
+@@ -637,6 +640,7 @@ int process_cgivars(void){
+ 			servicegroup_name=strdup(variables[x]);
+ 			if(servicegroup_name==NULL)
+ 				servicegroup_name="";
++			strip_html_brackets(servicegroup_name);
+ 			}
+ 
+ 		/* we found the sort type argument */
+@@ -989,9 +993,9 @@ void show_host_info(void){
+ 
+ 		printf("<TR><TD CLASS='dataVar'>Host Status:</td><td CLASS='dataVal'><DIV CLASS='%s'>&nbsp;&nbsp;%s&nbsp;&nbsp;%s&nbsp;&nbsp;</DIV></td></tr>\n",bg_class,state_string,(temp_hoststatus->problem_has_been_acknowledged==TRUE)?"(Has been acknowledged)":"");
+ 
+-		printf("<TR><TD CLASS='dataVar'>Status Information:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_hoststatus->plugin_output==NULL)?"":temp_hoststatus->plugin_output);
++		printf("<TR><TD CLASS='dataVar'>Status Information:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_hoststatus->plugin_output==NULL)?"":html_encode(temp_hoststatus->plugin_output));
+ 
+-		printf("<TR><TD CLASS='dataVar'>Performance Data:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_hoststatus->perf_data==NULL)?"":temp_hoststatus->perf_data);
++		printf("<TR><TD CLASS='dataVar'>Performance Data:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_hoststatus->perf_data==NULL)?"":html_encode(temp_hoststatus->perf_data));
+ 
+ 		printf("<TR><TD CLASS='dataVar'>Current Attempt:</TD><TD CLASS='dataVal'>%d/%d</TD></TR>\n",temp_hoststatus->current_attempt,temp_hoststatus->max_attempts);
+ 
+@@ -1299,9 +1303,9 @@ void show_service_info(void){
+ 			}
+ 		printf("<TR><TD CLASS='dataVar'>Current Status:</TD><TD CLASS='dataVal'><DIV CLASS='%s'>&nbsp;&nbsp;%s&nbsp;&nbsp;%s&nbsp;&nbsp;</DIV></TD></TR>\n",bg_class,state_string,(temp_svcstatus->problem_has_been_acknowledged==TRUE)?"(Has been acknowledged)":"");
+ 
+-		printf("<TR><TD CLASS='dataVar'>Status Information:</TD><TD CLASS='dataVal'>%s</TD></TR>\n",(temp_svcstatus->plugin_output==NULL)?"":temp_svcstatus->plugin_output);
++		printf("<TR><TD CLASS='dataVar'>Status Information:</TD><TD CLASS='dataVal'>%s</TD></TR>\n",(temp_svcstatus->plugin_output==NULL)?"":html_encode(temp_svcstatus->plugin_output));
+ 
+-		printf("<TR><TD CLASS='dataVar'>Performance Data:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_svcstatus->perf_data==NULL)?"":temp_svcstatus->perf_data);
++		printf("<TR><TD CLASS='dataVar'>Performance Data:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_svcstatus->perf_data==NULL)?"":html_encode(temp_svcstatus->perf_data));
+ 
+ 		printf("<TR><TD CLASS='dataVar'>Current Attempt:</TD><TD CLASS='dataVal'>%d/%d</TD></TR>\n",temp_svcstatus->current_attempt,temp_svcstatus->max_attempts);
+ 
diff --git a/net/nagios-base/patches/patch-ak b/net/nagios-base/patches/patch-ak
new file mode 100644
index 00000000000..ed52bcedcaa
--- /dev/null
+++ b/net/nagios-base/patches/patch-ak
@@ -0,0 +1,20 @@
+$NetBSD: patch-ak,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/histogram.c.orig	2006-03-21 22:31:46.000000000 +0100
++++ cgi/histogram.c
+@@ -1086,6 +1086,7 @@ int process_cgivars(void){
+ 				host_name="";
+ 			else
+ 				strcpy(host_name,variables[x]);
++			strip_html_brackets(host_name);
+ 
+ 			display_type=DISPLAY_HOST_HISTOGRAM;
+ 		        }
+@@ -1103,6 +1104,7 @@ int process_cgivars(void){
+ 				svc_description="";
+ 			else
+ 				strcpy(svc_description,variables[x]);
++			strip_html_brackets(svc_description);
+ 
+ 			display_type=DISPLAY_SERVICE_HISTOGRAM;
+ 		        }
diff --git a/net/nagios-base/patches/patch-al b/net/nagios-base/patches/patch-al
new file mode 100644
index 00000000000..b9d78c20a2b
--- /dev/null
+++ b/net/nagios-base/patches/patch-al
@@ -0,0 +1,29 @@
+$NetBSD: patch-al,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/history.c.orig	2006-03-21 22:31:46.000000000 +0100
++++ cgi/history.c
+@@ -379,6 +379,7 @@ int process_cgivars(void){
+ 				host_name="";
+ 			else
+ 				strcpy(host_name,variables[x]);
++			strip_html_brackets(host_name);
+ 
+ 			display_type=DISPLAY_HOSTS;
+ 
+@@ -401,6 +402,7 @@ int process_cgivars(void){
+ 				svc_description="";
+ 			else
+ 				strcpy(svc_description,variables[x]);
++			strip_html_brackets(svc_description);
+ 
+ 			display_type=DISPLAY_SERVICES;
+ 		        }
+@@ -901,7 +903,7 @@ void get_history(void){
+ 
+ 				if(display_frills==TRUE)
+ 					printf("<img align='left' src='%s%s' alt='%s' title='%s'>",url_images_path,image,image_alt,image_alt);
+-				printf("[%s] %s<br clear='all'>\n",date_time,temp_buffer);
++				printf("[%s] %s<br clear='all'>\n",date_time,html_encode(temp_buffer));
+ 				found_line=TRUE;
+ 			        }
+ 		        }
diff --git a/net/nagios-base/patches/patch-am b/net/nagios-base/patches/patch-am
new file mode 100644
index 00000000000..04c10f0e0d4
--- /dev/null
+++ b/net/nagios-base/patches/patch-am
@@ -0,0 +1,46 @@
+$NetBSD: patch-am,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/notifications.c.orig	2006-06-19 22:53:24.000000000 +0200
++++ cgi/notifications.c
+@@ -371,6 +371,7 @@ int process_cgivars(void){
+ 			query_host_name=strdup(variables[x]);
+ 			if(query_host_name==NULL)
+ 				query_host_name="";
++			strip_html_brackets(query_host_name);
+ 			if(!strcmp(query_host_name,"all"))
+ 				find_all=TRUE;
+ 			else
+@@ -390,6 +391,7 @@ int process_cgivars(void){
+ 
+ 			if(query_contact_name==NULL)
+ 				query_contact_name="";
++			strip_html_brackets(query_contact_name);
+ 			if(!strcmp(query_contact_name,"all"))
+ 				find_all=TRUE;
+ 			else
+@@ -408,6 +410,7 @@ int process_cgivars(void){
+ 			query_svc_description=strdup(variables[x]);
+ 			if(query_svc_description==NULL)
+ 				query_svc_description="";
++			strip_html_brackets(query_svc_description);
+ 		        }
+ 	
+ 		/* we found the notification type argument */
+@@ -553,7 +556,7 @@ void display_notifications(void){
+ 			/* get the host name */
+ 			temp_buffer=(char *)strtok(NULL,";");
+ 			snprintf(host_name,sizeof(host_name),"%s",(temp_buffer==NULL)?"":temp_buffer);
+-			host_name[sizeof(host_name)]='\x0';
++			host_name[sizeof(host_name)-1]='\x0';
+ 
+ 			/* get the service name */
+ 			if(notification_type==SERVICE_NOTIFICATION){
+@@ -714,7 +717,7 @@ void display_notifications(void){
+ 				printf("<td CLASS='notifications%s'>%s</td>\n",(odd)?"Even":"Odd",date_time);
+ 				printf("<td CLASS='notifications%s'><a href='%s?type=contacts#%s'>%s</a></td>\n",(odd)?"Even":"Odd",CONFIG_CGI,url_encode(contact_name),contact_name);
+ 				printf("<td CLASS='notifications%s'><a href='%s?type=commands#%s'>%s</a></td>\n",(odd)?"Even":"Odd",CONFIG_CGI,url_encode(method_name),method_name);
+-				printf("<td CLASS='notifications%s'>%s</td>\n",(odd)?"Even":"Odd",temp_buffer);
++				printf("<td CLASS='notifications%s'>%s</td>\n",(odd)?"Even":"Odd",html_encode(temp_buffer));
+ 				printf("</tr>\n");
+ 			        }
+ 		        }
diff --git a/net/nagios-base/patches/patch-an b/net/nagios-base/patches/patch-an
new file mode 100644
index 00000000000..59a14908ffb
--- /dev/null
+++ b/net/nagios-base/patches/patch-an
@@ -0,0 +1,13 @@
+$NetBSD: patch-an,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/showlog.c.orig	2006-03-21 22:31:46.000000000 +0100
++++ cgi/showlog.c
+@@ -513,7 +513,7 @@ int display_log(void){
+ 			
+ 			if(display_frills==TRUE)
+ 				printf("<img align='left' src='%s%s' alt='%s' title='%s'>",url_images_path,image,image_alt,image_alt);
+-			printf("[%s] %s<br clear='all'>\n",date_time,(temp_buffer==NULL)?"":temp_buffer);
++			printf("[%s] %s<br clear='all'>\n",date_time,(temp_buffer==NULL)?"":html_encode(temp_buffer));
+ 		        }
+ 
+ 		printf("</DIV></P>\n");
diff --git a/net/nagios-base/patches/patch-ao b/net/nagios-base/patches/patch-ao
new file mode 100644
index 00000000000..6e5ceda17ae
--- /dev/null
+++ b/net/nagios-base/patches/patch-ao
@@ -0,0 +1,54 @@
+$NetBSD: patch-ao,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/status.c.orig	2006-04-26 17:33:59.000000000 +0200
++++ cgi/status.c
+@@ -572,6 +572,7 @@ int process_cgivars(void){
+ 				show_all_hostgroups=TRUE;
+ 			else
+ 				show_all_hostgroups=FALSE;
++			strip_html_brackets(hostgroup_name);
+ 		        }
+ 
+ 		/* we found the servicegroup argument */
+@@ -589,6 +590,7 @@ int process_cgivars(void){
+ 				show_all_servicegroups=TRUE;
+ 			else
+ 				show_all_servicegroups=FALSE;
++			strip_html_brackets(servicegroup_name);
+ 		        }
+ 
+ 		/* we found the host argument */
+@@ -606,6 +608,7 @@ int process_cgivars(void){
+ 				show_all_hosts=TRUE;
+ 			else
+ 				show_all_hosts=FALSE;
++			strip_html_brackets(host_name);
+ 		        }
+ 
+ 		/* we found the columns argument */
+@@ -725,6 +728,7 @@ int process_cgivars(void){
+                                 break;
+                                 }
+                         service_filter=strdup(variables[x]);
++			strip_html_brackets(service_filter);
+                         }
+ 	        }
+ 
+@@ -1720,7 +1724,7 @@ void show_service_detail(void){
+ 			printf("<TD CLASS='status%s' nowrap>%s</TD>\n",status_bg_class,date_time);
+ 			printf("<TD CLASS='status%s' nowrap>%s</TD>\n",status_bg_class,state_duration);
+ 			printf("<TD CLASS='status%s'>%d/%d</TD>\n",status_bg_class,temp_status->current_attempt,temp_status->max_attempts);
+-			printf("<TD CLASS='status%s'>%s&nbsp;</TD>\n",status_bg_class,(temp_status->plugin_output==NULL)?"":temp_status->plugin_output);
++			printf("<TD CLASS='status%s'>%s&nbsp;</TD>\n",status_bg_class,(temp_status->plugin_output==NULL)?"":html_encode(temp_status->plugin_output));
+ 
+ 			printf("</TR>\n");
+ 
+@@ -2102,7 +2106,7 @@ void show_host_detail(void){
+ 			printf("<TD CLASS='status%s'>%s</TD>\n",status_class,status);
+ 			printf("<TD CLASS='status%s' nowrap>%s</TD>\n",status_bg_class,date_time);
+ 			printf("<TD CLASS='status%s' nowrap>%s</TD>\n",status_bg_class,state_duration);
+-			printf("<TD CLASS='status%s'>%s&nbsp;</TD>\n",status_bg_class,(temp_status->plugin_output==NULL)?"":temp_status->plugin_output);
++			printf("<TD CLASS='status%s'>%s&nbsp;</TD>\n",status_bg_class,(temp_status->plugin_output==NULL)?"":html_encode(temp_status->plugin_output));
+ 
+ 			printf("</TR>\n");
+ 		        }
diff --git a/net/nagios-base/patches/patch-ap b/net/nagios-base/patches/patch-ap
new file mode 100644
index 00000000000..d73fcb3e4ed
--- /dev/null
+++ b/net/nagios-base/patches/patch-ap
@@ -0,0 +1,20 @@
+$NetBSD: patch-ap,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/statusmap.c.orig	2006-03-21 22:31:46.000000000 +0100
++++ cgi/statusmap.c
+@@ -412,6 +412,7 @@ int process_cgivars(void){
+ 				host_name="all";
+ 			else
+ 				strcpy(host_name,variables[x]);
++			 strip_html_brackets(host_name);
+ 
+ 			if(!strcmp(host_name,"all"))
+ 				show_all_hosts=TRUE;
+@@ -570,6 +571,7 @@ int process_cgivars(void){
+ 				break;
+ 			        }
+ 
++			strip_html_brackets(variables[x]);
+ 			add_layer(variables[x]);
+ 		        }
+ 	        }
diff --git a/net/nagios-base/patches/patch-aq b/net/nagios-base/patches/patch-aq
new file mode 100644
index 00000000000..8b5e7dc049f
--- /dev/null
+++ b/net/nagios-base/patches/patch-aq
@@ -0,0 +1,44 @@
+$NetBSD: patch-aq,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/statuswml.c.orig	2006-03-22 18:45:26.000000000 +0100
++++ cgi/statuswml.c
+@@ -239,6 +239,7 @@ int process_cgivars(void){
+ 				hostgroup_name="";
+ 			else
+ 				strcpy(hostgroup_name,variables[x]);
++			strip_html_brackets(hostgroup_name);
+ 
+ 			if(!strcmp(hostgroup_name,"all"))
+ 				show_all_hostgroups=TRUE;
+@@ -260,6 +261,7 @@ int process_cgivars(void){
+ 				host_name="";
+ 			else
+ 				strcpy(host_name,variables[x]);
++			strip_html_brackets(host_name);
+ 		        }
+ 
+ 		/* we found the service argument */
+@@ -276,6 +278,7 @@ int process_cgivars(void){
+ 				service_desc="";
+ 			else
+ 				strcpy(service_desc,variables[x]);
++			strip_html_brackets(service_desc);
+ 		        }
+ 
+ 
+@@ -317,6 +320,7 @@ int process_cgivars(void){
+ 				ping_address="";
+ 			else
+ 				strcpy(ping_address,variables[x]);
++			strip_html_brackets(ping_address);
+ 		        }
+ 
+ 		/* we found the traceroute argument */
+@@ -333,6 +337,7 @@ int process_cgivars(void){
+ 				traceroute_address="";
+ 			else
+ 				strcpy(traceroute_address,variables[x]);
++			strip_html_brackets(traceroute_address);
+ 		        }
+ 
+ 	        }
diff --git a/net/nagios-base/patches/patch-ar b/net/nagios-base/patches/patch-ar
new file mode 100644
index 00000000000..8fb9cca1507
--- /dev/null
+++ b/net/nagios-base/patches/patch-ar
@@ -0,0 +1,12 @@
+$NetBSD: patch-ar,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/statuswrl.c.orig	2006-03-27 17:38:06.000000000 +0200
++++ cgi/statuswrl.c
+@@ -239,6 +239,7 @@ int process_cgivars(void){
+ 				host_name="all";
+ 			else
+ 				strcpy(host_name,variables[x]);
++			strip_html_brackets(host_name);
+ 
+ 			if(!strcmp(host_name,"all"))
+ 				show_all_hosts=TRUE;
diff --git a/net/nagios-base/patches/patch-as b/net/nagios-base/patches/patch-as
new file mode 100644
index 00000000000..069f8e4f70c
--- /dev/null
+++ b/net/nagios-base/patches/patch-as
@@ -0,0 +1,28 @@
+$NetBSD: patch-as,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/summary.c.orig	2006-03-21 22:31:46.000000000 +0100
++++ cgi/summary.c
+@@ -1135,6 +1135,7 @@ int process_cgivars(void){
+ 				target_hostgroup_name="";
+ 			else
+ 				strcpy(target_hostgroup_name,variables[x]);
++			strip_html_brackets(target_hostgroup_name);
+ 
+ 			if(!strcmp(target_hostgroup_name,"all"))
+ 				show_all_hostgroups=TRUE;
+@@ -1157,6 +1158,7 @@ int process_cgivars(void){
+ 				target_servicegroup_name="";
+ 			else
+ 				strcpy(target_servicegroup_name,variables[x]);
++			strip_html_brackets(target_servicegroup_name);
+ 
+ 			if(!strcmp(target_servicegroup_name,"all"))
+ 				show_all_servicegroups=TRUE;
+@@ -1179,6 +1181,7 @@ int process_cgivars(void){
+ 				target_host_name="";
+ 			else
+ 				strcpy(target_host_name,variables[x]);
++			strip_html_brackets(target_host_name);
+ 
+ 			if(!strcmp(target_host_name,"all"))
+ 				show_all_hosts=TRUE;
diff --git a/net/nagios-base/patches/patch-at b/net/nagios-base/patches/patch-at
new file mode 100644
index 00000000000..69ccb1ca57b
--- /dev/null
+++ b/net/nagios-base/patches/patch-at
@@ -0,0 +1,20 @@
+$NetBSD: patch-at,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/trends.c.orig	2006-03-21 22:31:47.000000000 +0100
++++ cgi/trends.c
+@@ -1207,6 +1207,7 @@ int process_cgivars(void){
+ 				host_name="";
+ 			else
+ 				strcpy(host_name,variables[x]);
++			strip_html_brackets(host_name);
+ 
+ 			display_type=DISPLAY_HOST_TRENDS;
+ 		        }
+@@ -1224,6 +1225,7 @@ int process_cgivars(void){
+ 				svc_description="";
+ 			else
+ 				strcpy(svc_description,variables[x]);
++			strip_html_brackets(svc_description);
+ 
+ 			display_type=DISPLAY_SERVICE_TRENDS;
+ 		        }
diff --git a/net/nagios-base/patches/patch-au b/net/nagios-base/patches/patch-au
new file mode 100644
index 00000000000..3796b7cd294
--- /dev/null
+++ b/net/nagios-base/patches/patch-au
@@ -0,0 +1,33 @@
+$NetBSD: patch-au,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/cgiutils.c.orig	2006-05-20 20:37:29.000000000 +0200
++++ cgi/cgiutils.c
+@@ -1393,6 +1393,28 @@ char * html_encode(char *input){
+         }
+ 
+ 
++ /* strip > and < from string */
++ void strip_html_brackets(char *buffer){
++ 	register int x;
++ 	register int y;
++ 	register int z;
++ 
++ 	if(buffer==NULL || buffer[0]=='\x0')
++ 		return;
++ 
++ 	/* remove all occurances in string */
++ 	z=(int)strlen(buffer);
++ 	for(x=0,y=0;x<z;x++){
++ 		if(buffer[x]=='<' || buffer[x]=='>')
++ 			continue;
++ 		buffer[y++]=buffer[x];
++ 	        }
++ 	buffer[y++]='\x0';
++ 
++ 	return;
++ 	}
++
++
+ 
+ /* determines the log file we should use (from current time) */
+ void get_log_archive_to_use(int archive,char *buffer,int buffer_length){
author	tonnerre <tonnerre@pkgsrc.org>	2008-03-18 21:53:41 +0000
committer	tonnerre <tonnerre@pkgsrc.org>	2008-03-18 21:53:41 +0000
commit	4331013f541160fb08f3cbdf9eaf27d3dfd75165 (patch)
tree	b3b99218c23c8ed3b2925a8fc1413b812447ce06 /net
parent	ebdd30c58e7a1ab995da869a4351f38cc584e2ef (diff)
download	pkgsrc-4331013f541160fb08f3cbdf9eaf27d3dfd75165.tar.gz