external script, nasty characters & argument injection

[k9fr4n]

hello

i defined a command in "[/settings/external scripts/scripts]" section that uses a binary check-ping.exe

check_ping = bin/check-ping.exe /host '$ARG1$'

I set the parameter "allow nasty characters" to false for in the category "[/settings/external scripts]"

but i can pass this kind of command:

./check_nrpe -H X.X.X.X -c check_ping -a "google.fr' || echo coucou ||'''"
coucou

Can you check if the option "allow nasty characters" is fonctionnal for external script ?

Regards

[sni]

actually the nrpe server uses it's own settings for those things, ex.:

[/settings/NRPE/server]
allow nasty characters = false
allow arguments = true

then it works as expected.

/usr/lib/nagios/plugins/check_nrpe -H localhost -c check_ping -a "google.fr' || echo coucou ||'''"
Exception processing request: Request contained illegal characters (check the allow nasty characters option).

So check your nrpe section to see what's configured there. Right now the settings from [/settings/external scripts/scripts] are not used for nrpe.

[k9fr4n]

thanks for the reply, it works.

so in what context does the "allow nasty characters" work in the "[/settings/external scripts/scripts]" section ?

Thanks

[sni]

right now probably not at all. But might be a good idea to use them together with the settings from the NRPE/Web section.

[sni]

i misread the issue, your check_ping is not the internal check_ping check, but a custom external script, right? Because the internal check_ping does check for nasty characters. So if it is a external script, then indeed the nasty character settings from [/settings/external scripts] should be used. I reworked all the nasty character handling, so it will use the settings from [/settings/external scripts] as well as from [/settings/NRPE/server] or [/settings/WEB/server] depending on your entry point.

[sni]

thanks for bringing this to our attention. I'd say this is fixed now.