Well this was pretty ugly.
Three distinct problems:
- criticaleditor should only be rejecting based on POSTs
- criticalview is a regular CGI, not a secure one
- ackinfo wasn't allowing ack submission directly from svcstatus POSTs
#3 is my fault -- I actually was not aware that the NK feature placed the form in that spot.
The attached patch seems to fix all three of these issues for me. I'd appreciate it if y'all could test.
Regards, -jc
On Thu, March 3, 2016 7:57 am, Richard Hamilton wrote:
With different paths (e.g. /export/home/xymon/cgi-secure/...) on Solaris 11 (SPARC), I'm seeing the criticaleditor.sh issue too; nothing of consequence differs from the existing and the newly supplied xymon-apache.conf, so that's not it.
I'm all green/clear right now, so I don't have anything to acknowledge and try that, I guess. :-)
Aside from an rcsid[] line, I don't see any difference in cgiwrap.c or criticaleditor.c between 4.3.25 and 4.3.26; going back to 4.3.24, there are definitely differences.
Just for the heck of it, I compiled 4.3.24, moved over server/bin/criticaleditor.cgi to save it under a different name, and dropped in the 4.3.24 version of it. The page then came up without the redirect problem! I did _not_ attempt editing anything, just in case the stored data format might have been changed/upgraded. Note: I didn't even replace cgiwrap or the link to it with the old one, just the actual criticaleditor.cgi binary.
So something between 4.3.24 and 4.3.26 broke it - probably something in criticaleditor.c.
On Thu, Mar 3, 2016 at 8:19 AM, Axel Beckert <beckert at phys.ethz.ch> wrote:
Hi,
On Sun, Feb 28, 2016 at 08:24:33PM +0000, Guðmundur Freyr Hafsteinsson wrote:
Everything is working except the criticaleditor.sh link under administrator, which gives me the following errors in the logs (masked my ips):
[error] [client Y.Y.Y.Y] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://X.X.X.X/xymon/xymon.html
The features that are currently using the same xymonpasswd file do work properly: enadis.sh acknowledge.sh
I can add ackinfo.sh to the list of misbehaving CGI scripts:
When I view e.g. https://xymon .<domain>/xymon-cgi/svcstatus.sh?HOST=<somehost>&SERVICE=<someservice>&NKPRIO=1&NKTTGROUP=&NKTTEXTRA= and fill out the acknowledge form on top, it does a POST request to https://xymon.<domain>/xymon-seccgi/ackinfo.sh, but since recently this returns a "404 Not Found", interestingly with the text "The requested URL /xymon-seccgi/criticalview.sh was not found on this server." (i.e. criticalview.sh instead of ackinfo.sh).
In the apache error log, this causes lines like this one:
[Thu Mar 03 14:16:16.673425 2016] [cgid:error] [pid 2311:tid 140260545623808] [client <ip>:52929] AH01264: script not found or unable to stat: /usr/lib/xymon/cgi-secure/criticalview.sh, referer: https://xymon .<domain>/xymon-cgi/svcstatus.sh?HOST=<somehost>&SERVICE=<someservice>&NKPRIO=1&NKTTGROUP=&NKTTEXTRA=
/usr/lib/xymon/cgi-secure/criticalview.sh indeed does not exists, but /usr/lib/xymon/cgi-secure/ackinfo.sh does exist.
(Regarding the paths: I'm using the official Debian packages as this is my server to test them.)
Kind regards, Axel Beckert-- Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 26 68 IT Services Group, HPT H 6 voice: +41 44 633 41 89 Departement of Physics, ETH Zurich CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon