From 0f7b20ff39f2f155813510dc25f7b46074c6d34a Mon Sep 17 00:00:00 2001
From: Steve Kemp <steve@steve.org.uk>
Date: Mon, 19 Nov 2012 14:07:01 +0000
Subject:   Ensure that hostnames used for ping-tests are valid - to avoid the
 security hole.

---
 lib/custodian/parser.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'lib/custodian/parser.rb')

diff --git a/lib/custodian/parser.rb b/lib/custodian/parser.rb
index 77adc48..ea25c3a 100644
--- a/lib/custodian/parser.rb
+++ b/lib/custodian/parser.rb
@@ -373,6 +373,16 @@ class MonitorConfig
           :timeout     => @timeout
         }
 
+        #
+        # Sanity check the hostname for ping-tests, to
+        # avoid this security hole:
+        #
+        #   $(/tmp/exploit.sh) must run ping ..
+        #
+        if ( service == "ping" )
+          raise ArgumentError, "Invalid hostname for ping-test: #{host}" unless( host =~ /^([a-zA-Z0-9:\-\.]+)$/ )
+        end
+
 
         #
         #  Alert text will have a default, which may be overridden.
-- 
cgit v1.2.1