1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
Index: src/libs/zbxsysinfo/sysinfo.c
===================================================================
--- src/libs/zbxsysinfo/sysinfo.c (revision 40348)
+++ src/libs/zbxsysinfo/sysinfo.c (working copy)
@@ -427,13 +427,49 @@
test_aliases();
}
+static int zbx_check_user_parameter(const char *param, char *error, int max_error_len)
+{
+ const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@\n", *c;
+ char *buf = NULL;
+ size_t buf_alloc = 128, buf_offset = 0;
+
+ if (0 != CONFIG_UNSAFE_USER_PARAMETERS)
+ return SUCCEED;
+
+ for (c = suppressed_chars; '\0' != *c; c++)
+ {
+ if (NULL == strchr(param, *c))
+ continue;
+
+ buf = zbx_malloc(buf, buf_alloc);
+
+ for (c = suppressed_chars; '\0' != *c; c++)
+ {
+ if (c != suppressed_chars)
+ zbx_strcpy_alloc(&buf, &buf_alloc, &buf_offset, ", ");
+
+ if (0 != isprint(*c))
+ zbx_chrcpy_alloc(&buf, &buf_alloc, &buf_offset, *c);
+ else
+ zbx_snprintf_alloc(&buf, &buf_alloc, &buf_offset, "0x%02x", *c);
+ }
+
+ zbx_snprintf(error, max_error_len, "special characters \"%s\" are not allowed in the parameters", buf);
+
+ zbx_free(buf);
+
+ return FAIL;
+ }
+
+ return SUCCEED;
+}
+
static int replace_param(const char *cmd, const char *param, char *out, int outlen, char *error, int max_error_len)
{
int ret = SUCCEED;
char buf[MAX_STRING_LEN];
char command[MAX_STRING_LEN];
char *pl, *pr;
- const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@", *c;
assert(out);
@@ -465,25 +501,10 @@
{
get_param(param, (int)(pr[1] - '0'), buf, sizeof(buf));
- if (0 == CONFIG_UNSAFE_USER_PARAMETERS)
- {
- for (c = suppressed_chars; '\0' != *c; c++)
- {
- if (NULL != strchr(buf, *c))
- {
- zbx_snprintf(error, max_error_len, "Special characters '%s'"
- " are not allowed in the parameters",
- suppressed_chars);
- ret = FAIL;
- break;
- }
- }
- }
+ if (SUCCEED != (ret = zbx_check_user_parameter(buf, error, max_error_len)))
+ break;
}
- if (FAIL == ret)
- break;
-
zbx_strlcat(out, buf, outlen);
outlen -= MIN((int)strlen(buf), (int)outlen);
|