[Nagiosplug-devel] taint checking for core perl plugins

Karl DeBisschop karl at debisschop.net
Fri Mar 14 05:29:02 CET 2003


Here is our current taint checking idiom (from check_ntp, but IIRC most
others are similar)

	($opt_w) || ($opt_w = $DEFAULT_OFFSET_WARN);
	my $owarn = $1 if ($opt_w =~ /([0-9.]+)/);

I think if the user passes an argument in but taint checking fails, then
the target variable ($owarn in this case) never gets defined.

If commiting a patch to check_ntp that fixes this as follows:

	$owarn = $DEFAULT_OFFSET_WARN;
	($opt_w) && ($opt_w =~ /^([0-9.]+)$/) && ($owarn = $1);

I came across this by accident (I noticed that you could not set
timeout, so I was adding that option). So I'm only commiting check_ntp
now.

I'll allow others to comment on my replacement code before I commit
changes to the rest of the core perl plugins.

--
Karl





More information about the Devel mailing list