[Xymon] Regex escaping in 'cont=' test

Ralph Mitchell ralphmitchell at gmail.com
Fri Oct 6 19:21:58 CEST 2017 

Did you try quoting the entire 'cont;URL;[expected_data]" string?

I just tried this:

192.168.1.4   xxxx.yyyy.com        #  "cont;http://xxxx.yyyy.com/test.html;<a
href=\x22foo/bar\x22>"

and the page source for the "info" column shows:

<tr><th align=left>Content checks:</th><td align=left>
<a href="http://xxxx.yyyy.com/test.html">http://xxxx.yyyy.com/test.html</a> 
must return '<a href="foo/bar">'<br>
</td></tr>

so you can see it picked up the whole  '<a href="foo/bar">' string.  The
test.html file on the server contains nothing but the opening and closing
html/body tags, and the match string.  If I change "foo" to "fod" in
test.html, the match fails and if I change the leading "<" to a comma, the
match also fails

      http://xxxx.yyyy.com/test.html - Testing URL yields:

      ,a href="foo/bar">

Ralph Mitchell


On Wed, Oct 4, 2017 at 4:55 PM, John Thurston <john.thurston at alaska.gov>
wrote:

> I'm fighting with the correct escaping and encoding for http content
> checks using the "cont=" tag:
>
> cont[=COLUMN];URL;[expected_data_regexp|#digesttype:digest]
>>   This tag is used to specify a http/https check, where it is also
>>   checked that specific content is present in the server response.
>>
> . . .
>
>>   The regex is pre-processed for backslash "\" escape sequences.  . .
>>
>
> I can't find the expression to match the string:
>    <a href="foo/bar">
> (Which I hope your email client isn't going to try to render as html!)
>
> The closest I can manage is:
>   a\x20href=\x22foo/bar\x22>
>
> Where \x20 is an ASCII space, and \x22 is a double-quote
>
> If I put a leading \x3D (which is an equal-sign), that renders in the
> search string and obviously doesn't match my supplied content. If, however,
> I put a leading \x3C (which is the less-than sign) the rest of the
> expression is eaten and is not rendered. I've tried leading the \x3C with
> \x5C (which is a backslash), with no effect.
>
> I also tried leading with \x5C\x78\x33\x43 (which is \x3C), which renders
> as such, but does not match my string.
>
> The upshot is, I can match enough of my string to be unique on my page.
> But it seems like something isn't right in the regex escaping and cleansing
> for this test. The supplied string should be accepted as a string, but the
> "<" seems to be interpreted during the parsing instead.
>
> Can anyone else find a way to use a "<" in the regex of the cont= test?
>
>
> --
>    Do things because you should, not just because you can.
>
> John Thurston    907-465-8591
> John.Thurston at alaska.gov
> Department of Administration
> State of Alaska
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20171006/9a8149e0/attachment.html>

More information about the Xymon mailing list