Bug in showlog.cgi when returning to current log

NagiosEnterprises / nagioscore

Nagios Core

GNU General Public License v2.0

1.53k stars 445 forks source link

Bug in showlog.cgi when returning to current log #906

Closed mtnielsen closed 1 year ago

mtnielsen commented 1 year ago

Nagios Core 4.4.9

Select Event Log from the navigation menu Go back 1 log Go forward 1 log Error: "Bad Request"

As far as I can tell, the issue stems from

https://github.com/NagiosEnterprises/nagioscore/blob/master/cgi/showlog.c#L92

This bit adds an unconditional ? to the URL passed to display_nav_table(...)

When the URL is /nagios/cgi-bin/showlog.cgi everything is fine. When the URL is /nagios/cgi-bin/showlog.cgi? it explodes.

I'm not comfortable enough with C to fix it.

ericloyd commented 1 year ago

There seems to be a lot of these type of nav errors. I think the intention was that you would always use the menu elements to go forward or backward, not the browser controls. I'd love to see them all fixed.

mtnielsen commented 1 year ago

No browser controls were used. It's all Nagios navigation buttons.

sawolf commented 1 year ago

Hi @mtnielsen, thanks for reaching out. I probably won't have this done for 4.4.11 (going out today), but I'll see if I can get this fixed for 4.4.12.

sawolf commented 1 year ago

I wasn't able to reproduce this issue (neither on 4.4.9 nor on the latest commits in master, and regardless of whether I used the navigation buttons or manually edited the URL). I also don't see a place in any of the CGIs where we'll intentionally return a 400 error (though I could have missed it).

My questions to you are:

what distribution are you using?
do you still see this problem after upgrading to the latest version of Nagios Core?
can you reproduce this from a fresh install?

mtnielsen commented 1 year ago

I did some follow up and it turns out nginx is removing the empty query string when passing along the request, which in turn causes a uri mismatch in httpd.

I circumvented the proxy and couldn't reproduce the issue when connecting directly to the host.

I'm not sure what the correct behavior is supposed to be here. Is Nagios at fault for producing an empty query string? Is nginx at fault for removing the empty query string? Or is httpd at fault for complaining about a uri mismatch? Or is it perhaps Chrome's fault?

I'll have to investigate this tomorrow, but for the time being it doesn't look like Nagios' fault.

sawolf commented 1 year ago

Thanks for the follow-up. I'm going to treat this as fixed for now, but if you think there's something nagios should do differently, feel free to reopen this or open a new issue.