Hi Bernard. Yes, this makes sense to me. Once suggested change inline below...
alex Quoting Bernard Li <[EMAIL PROTECTED]>: > Hi Alex: > > Looks like we need to re-visit the XSS patches again. It looks like > some changes are preventing gridwalk from working. > > In the following two patches: > > http://ganglia.svn.sourceforge.net/viewvc/ganglia/branches/monitor-core-3.0-beta/web/get_context.php?r1=905&r2=904&pathrev=905 > http://ganglia.svn.sourceforge.net/viewvc/ganglia/branches/monitor-core-3.0-beta/web/header.php?r1=905&r2=904&pathrev=905 > > Specifically on $gridstack. > > You changed the explosion string from ">" to ":" probably because ">" > will get converted when you run clean_string() on > rawurldecode($_GET["gs"]). However, gs is in the form > "[EMAIL PROTECTED]>[EMAIL PROTECTED]" where "url" includes "http://"; and thus > using ":" > as the explosion string wouldn't work here. > > Instead of the changes you made, I suggest that we change the > explosion string back to ">" but instead of running clean_string() on > the entire rawurldecode($_GET["gs"]) array, I suggest we drill down > and run clean_string() on each element. The following patch against > get_context.php is what I mean: > > Index: get_context.php > =================================================================== > --- get_context.php (revision 1139) > +++ get_context.php (working copy) > @@ -43,10 +43,13 @@ > escapeshellcmd($_GET["z"]) : NULL; > # A stack of grid parents. Prefer a GET variable, default to cookie. > if (isset($_GET["gs"]) and $_GET["gs"]) > - $gridstack = explode(":", clean_string( > rawurldecode($_GET["gs"] ) ) ); > + $gridstack = explode(">", rawurldecode($_GET["gs"] ) ); > else > - $gridstack = explode(":", clean_string( $_COOKIE["gs"] ) ); > + $gridstack = explode(">", $_COOKIE["gs"] ); > > +foreach ($gridstack as $gp) > + $gp = clean_string($gp); > + foreach works on a copy of the array, so this code won't actually modify $gridstack. You could do this instead : foreach( $gridstack as $key=>$value ) { $gridstack[ $key ] = clean_string( $value ); } > # Assume we are the first grid visited in the tree if there are no > CGI variables, > # or gridstack is not well formed. Gridstack always has at least > one element. > if (!count($_GET) or !strstr($gridstack[0], "http://";)) > > Makes sense? > > Thanks, > > Bernard > ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
