[icinga-checkins] icinga.org: icinga-core/next: classic-ui: fixed JSON output is insufficiently escaped #3541

git at icinga.org git at icinga.org
Fri Feb 1 23:26:17 CET 2013


Module: icinga-core
Branch: next
Commit: e8b715af46ffff884126ebc79057c5544986d2e4
URL:    https://git.icinga.org/?p=icinga-core.git;a=commit;h=e8b715af46ffff884126ebc79057c5544986d2e4

Author: Ricardo Bartels <ricardo at bitchbrothers.com>
Date:   Mon Jan 21 21:33:39 2013 +0100

classic-ui: fixed JSON output is insufficiently escaped #3541

refs: #3541

now blackslash gets escaped and all control characters get sripped.

---

 Changelog      |    1 +
 cgi/cgiutils.c |   10 +++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/Changelog b/Changelog
index 58e7793..49b5a86 100644
--- a/Changelog
+++ b/Changelog
@@ -56,6 +56,7 @@ FIXES
 * classic ui: fixed Warning and Unknown States are mixed up in Alert Summary Report #3488 - RB
 * classic ui: fixed extinfo.cgi shows localtime(0) instead of "NOT SET" when global notifications are not set to expire #3482 - RB
 * classic ui: fixed CGIs generating invalid html code/ json when throwing error #3507 - RB
+* classic ui: fixed JSON output is insufficiently escaped #3541 - RB
 
 * docs: add missing cmd_mod description in cgi params #3438 - MF
 * docs: search_string as cgi GET param works also for status.cgi #3451 - MF
diff --git a/cgi/cgiutils.c b/cgi/cgiutils.c
index 4f57cbf..73e2044 100644
--- a/cgi/cgiutils.c
+++ b/cgi/cgiutils.c
@@ -3183,16 +3183,20 @@ char *json_encode(char *input) {
 
 	for (i = 0, j = 0; i < len; i++) {
 
-		/* escape quotes */
-		if ((char)input[i] == (char)'"') {
+		/* escape quotes and backslashes */
+		if ((char)input[i] == (char)'"' || (char)input[i] == (char)'\\') {
 			encoded_string[j++] = '\\';
 			encoded_string[j++] = input[i];
 
-			/* escape newlines */
+		/* escape newlines */
 		} else if ((char)input[i] == (char)'\n') {
 			encoded_string[j++] = '\\';
 			encoded_string[j++] = 'n';
 
+		/* ignore control caracters */
+		} else if (input[i] < 32 || input[i] == 127) {
+			continue;
+
 		} else
 			encoded_string[j++] = input[i];
 	}





More information about the icinga-checkins mailing list