/******************************************
*
* GETCGI.C - Nagios CGI Input Routines
*
* Last Modified: 05-15-2006
*
*****************************************/
#include "../include/config.h"
#include "../include/getcgi.h"
#include <stdio.h>
#include <stdlib.h>
#undef PARANOID_CGI_INPUT
/* Remove potentially harmful characters from CGI input that we don't need or want */
void sanitize_cgi_input(char **cgivars){
char *strptr;
int x,y,i;
int keep;
/* don't strip for now... */
return;
for(strptr=cgivars[i=0];strptr!=NULL;strptr=cgivars[++i]){
for(x=0,y=0;strptr[x]!='\x0';x++){
keep=1;
/* remove potentially nasty characters */
if(strptr[x]==';' || strptr[x]=='|' || strptr[x]=='&' || strptr[x]=='<' || strptr[x]=='>')
keep=0;
#ifdef PARANOID_CGI_INPUT
else if(strptr[x]=='/' || strptr[x]=='\\')
keep=0;
#endif
if(keep==1)
strptr[y++]=strptr[x];
}
strptr[y]='\x0';
}
return;
}
/* convert encoded hex string (2 characters representing an 8-bit number) to its ASCII char equivalent */
unsigned char hex_to_char(char *input){
unsigned char outchar='\x0';
unsigned int outint;
char tempbuf[3];
/* NULL or empty string */
if(input==NULL)
return '\x0';
if(input[0]=='\x0')
return '\x0';
tempbuf[0]=input[0];
tempbuf[1]=input[1];
tempbuf[2]='\x0';
sscanf(tempbuf,"%X",&outint);
/* only convert "normal" ASCII characters - we don't want the rest. Normally you would
convert all characters (i.e. for allowing users to post binary files), but since we
aren't doing this, stay on the cautious side of things and reject outsiders... */
#ifdef PARANOID_CGI_INPUT
if(outint<32 || outint>126)
outint=0;
#endif
outchar=(unsigned char)outint;
return outchar;
}
/* unescape hex characters in CGI input */
void unescape_cgi_input(char *input){
int x,y;
int len;
if(input==NULL)
return;
len=strlen(input);
for(x=0,y=0;x<len;x++,y++){
if(input[x]=='\x0')
break;
else if(input[x]=='%'){
input[y]=hex_to_char(&input[x+1]);
x+=2;
}
=1= |
