[checkmk-commits] Check_MK Git: check_mk: Added option to make HTML escape in plugin outputs configurable

20 Nov 2013

Module: check_mk
Branch: master
Commit: e015a1c4c9946c843adaf9a29810736cfa3d5ef6
URL:   
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=e015a1c4c9946c…

Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt;
Date:   Wed Nov 20 09:15:37 2013 +0100

Added option to make HTML escape in plugin outputs configurable

It is now possible to disable the HTML escaping in plugin outputs and
log messages. This is useful if one really wants to use HTML codes
provided by check plugins or log messages. Disabling the escaping
makes it possible to inject HTML / script code into multisite, so
be careful.

---

 .werks/215                                 |   12 ++++++++++++
 ChangeLog                                  |    1 +
 web/htdocs/lib.py                          |   13 +++++++++----
 web/plugins/config/builtin.py              |    3 +++
 web/plugins/wato/check_mk_configuration.py |   13 +++++++++++++
 5 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/.werks/215 b/.werks/215
new file mode 100644
index 0000000..e499a5f
--- /dev/null
+++ b/.werks/215
@@ -0,0 +1,12 @@
+Title: Added option to make HTML escape in plugin outputs configurable
+Level: 1
+Component: multisite
+Version: 1.2.3i7
+Date: 1384935234
+Class: feature
+
+It is now possible to disable the HTML escaping in plugin outputs and
+log messages. This is useful if one really wants to use HTML codes
+provided by check plugins or log messages. Disabling the escaping
+makes it possible to inject HTML / script code into multisite, so
+be careful.
diff --git a/ChangeLog b/ChangeLog
index 34f8ef8..466a33b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -27,6 +27,7 @@
     * 0001 New filters for selecting several host/service-groups at once...
     * 0050 New concept of favorite hosts and services plus matching filters and views...
     * 0211 GUI Notify: Added notify method "popup" to really create popup
windows...
+    * 0215 Added option to make HTML escape in plugin outputs configurable...
     * 0043 FIX: LDAP: Improved error reporting during synchronisation...
     * 0044 FIX: LDAP: Fixed error with empty groups during non nested group sync...
     * 0045 FIX: LDAP: Fixed error when synchronizing non nested groups to roles
diff --git a/web/htdocs/lib.py b/web/htdocs/lib.py
index 12929cb..43d9808 100644
--- a/web/htdocs/lib.py
+++ b/web/htdocs/lib.py
@@ -245,7 +245,11 @@ def paint_host_list(site, hosts):
     return "", h
 
 def format_plugin_output(output, row = None):
-    output = html.attrencode(output).replace("(!)", warn_marker) \
+    import config
+    if config.escape_plugin_output:
+        output = html.attrencode(output)
+
+    output = output.replace("(!)", warn_marker) \
               .replace("(!!)", crit_marker) \
               .replace("(?)", unknown_marker)
     if row and "[running on" in output:
@@ -255,9 +259,10 @@ def format_plugin_output(output, row = None):
         css, h = paint_host_list(row["site"], hosts)
         output = output[:a] + "running on " + h + output[e+1:]
 
-    output =
re.sub("http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+",
-                     lambda p: '<a href="%s">%s</a>' %
-                        (p.group(0), len(p.group(0)) > 40 and p.group(0)[:40] +
"..." or p.group(0)), output)
+    if config.escape_plugin_output:
+        output =
re.sub("http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+",
+                         lambda p: '<a href="%s">%s</a>' %
+                            (p.group(0), len(p.group(0)) > 40 and p.group(0)[:40] +
"..." or p.group(0)), output)
 
     return output
 
diff --git a/web/plugins/config/builtin.py b/web/plugins/config/builtin.py
index 6d23c08..c5a3b1a 100644
--- a/web/plugins/config/builtin.py
+++ b/web/plugins/config/builtin.py
@@ -202,6 +202,9 @@ pagetitle_date_format = None
 # appear in a stale state
 staleness_threshold = 1.5
 
+# Escape HTML in plugin output / log messages
+escape_plugin_output = True
+
 #     _   _               ____  ____
 #    | | | |___  ___ _ __|  _ \| __ )
 #    | | | / __|/ _ \ '__| | | |  _ \
diff --git a/web/plugins/wato/check_mk_configuration.py
b/web/plugins/wato/check_mk_configuration.py
index a4e2ec0..d7229e0 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -216,6 +216,19 @@ register_configvar(group,
     domain = "multisite")
 
 register_configvar(group,
+    "escape_plugin_output",
+    Checkbox(title = _("Escape HTML codes in plugin output"),
+             label = _("Prevent loading HTML from plugin output or log
messages"),
+             help = _("By default, for security reasons, Multisite does not
interpret any HTML "
+                      "code received from external sources, like plugin output or
log messages. "
+                      "If you are really sure what you are doing and need to have
HTML codes, like "
+                      "links rendered, disable this option. Be aware, you might open
the way "
+                      "for several injection attacks."),
+            default_value = True),
+    domain = "multisite")
+
+
+register_configvar(group,
     "multisite_draw_ruleicon",
     Checkbox(title = _("Show icon for WATO parameter editor"),
              label = _("Show WATO icon"),


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[checkmk-commits] Check_MK Git: check_mk: Added option to make HTML escape in plugin outputs configurable