Variable $SERVICEOUTPUT$ is not sanitized

[TomaszUrugOlszewski]

Hello,

Shinken variable $SERVICEOUTPUT$ which is used as parameter for command notify-service-by-email is not sanitized, and signs like " (inverted comma) are passed without escaping.

Because of above behavior, default notification command notify-service-by-email can fail very easily.

For example using standard nagios plugin /usr/lib/nagios/plugins/check_http which returns string in "" when used with -e parameter

HTTP OK: Status line output matched "HTTP/1.1 200 OK" - 559 bytes in 0.090 second response time |time=0.089884s;;;0.000000 size=559B;;;0

And of course error message from logs (I removed beggining)

,,OK,,HTTP OK: Status line output matched "HTTP/1.1 200 OK" - 6496 bytes in 0.109 second response time,,00h 00m 00s"' raised an error (exit code=1): 'Traceback (most recent call last)

Error message is

Traceback (most recent call last):
  File "/var/lib/shinken/libexec/notify_by_email.py", line 323, in <module>
    'Service duration': macros[3]
IndexError: list index out of range

[naparuba]

Thanks for reporting.

[lmarket]

If i used $SERVICEOUTPUT$ in my commands.cfg file for eventhandler, the script does not start

is it the same issue ? in shinken 2.4.2

the script work when i removed $SERVICEOUTPUT$ form commands.cfg

i try $LONGSERVICEOUTPUT$ but the same

[Orabig]

This issue is indeed critical, as there are 2 forbidden character in plugin output : " (quotation mark) and , (comma).

The workaround for me was to change each and every plugins for me with the following critical() function :

sub critical {
	$_="@_";
	y/,"/;'/;      # notify_by_email.py don't access these characters
	print "CRITICAL : $_\n";
	exit 2;
}