Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Sun Apr 30, 2017 3:27 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: Nectar - runaway escaping of strings?
PostPosted: Thu Oct 22, 2015 8:58 am 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 5093
Location: United Kingdom
My Cacti installation has recently (maybe since the last upgrade) developed a new problem - every time I make a change to a Nectar report, all the strings are wrapped in single quotes (''). Then, if there are single quotes, they are wrapped with backslashes. Then the backslashes are wrapped in quotes...

So I have strange report titles like this:

Code:
'\\\'XX Monthly WAN Report\\\''


And it does the same with the e-mail addresses, which is obviously a bigger problem!

Any suggestions? This smells like part of Cacti's anti-XSS stuff going wrong.

Nectar 0.35a, Cacti 0.8.8e

_________________
Weathermap 0.98 is out! & QuickTree 0.2. Superlinks is over there now.
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Mon Oct 26, 2015 10:58 am 
Offline

Joined: Fri Sep 14, 2012 6:57 pm
Posts: 10
I just built a fresh server with .8.8f and experienced the same problem.

The issue is that the ./lib/database.php changed the sql_sanitize function from:

function sql_sanitize($value) {
$value = str_replace(";", "\;", $value);
return $value;
}

to

function sql_sanitize($value) {
global $cnn_id;
$value = $cnn_id->qstr($value);
return $value;
}

As a quick fix I edited the plugins/nectar/nectar_webap.php and added the old code as:
function sql_sanitizeold($value) {
$value = str_replace(";", "\;", $value);
return $value;
}

I then did a find/replace for sql_sanitize and changed it to sql_sanitizeold.

I'm not sure if the long-term fix is a change to the database.php code or to the nectar plugin. I'll let the powers that be sort that out.

Hope this helps.

Thanks,
Tom


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Fri Nov 06, 2015 11:56 am 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 5093
Location: United Kingdom
Thanks Tom!

I think I have missed a bit here - you replaced the function, and then changed all the calls to it to point to the old one? So what calls the new function?

_________________
Weathermap 0.98 is out! & QuickTree 0.2. Superlinks is over there now.
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Fri Nov 06, 2015 12:18 pm 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 5093
Location: United Kingdom
Sorry - I follow now. *Cacti* changed the function, you put the old version back and switched nectar to using it. That makes much more sense :-)

_________________
Weathermap 0.98 is out! & QuickTree 0.2. Superlinks is over there now.
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Wed Nov 18, 2015 9:27 pm 
Offline
Cacti User
User avatar

Joined: Fri Nov 04, 2005 3:37 pm
Posts: 229
Location: Ca US
Didn't work for me.

Something changed, and it may be os/php/mysql related (don't know, just speculating here).

FWIW, I have:
Quote:
General Information
Date Fri, 20 Nov 2015 11:23:23 -0800
Cacti Version 0.8.8f
Cacti OS unix
SNMP Version NET-SNMP version: 5.5
RRDTool Version RRDTool 1.3.x
Hosts 504
Graphs 4989
Data Sources Script/Command: 848
SNMP: 4501
SNMP Query: 1122
Script Query: 135
Script - Script Server (PHP): 21
Total: 6627
Poller Information
Interval 300
Type SPINE 0.8.8f Copyright 2002-2015 by The Cacti Group
Items Action[0]: 6006
Action[1]: 674
Action[2]: 19
Total: 6699
Concurrent Processes 1
Max Threads 16
PHP Servers 1
Script Timeout 2
Max OID 10
Last Run Statistics Time:41.5721 Method:spine Processes:1 Threads:16 Hosts:481 HostsPerProcess:481 DataSources:6699 RRDsProcessed:5483
PHP Information
PHP Version 5.3.3
PHP OS Linux
PHP uname Linux localhost 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64
PHP SNMP Installed
max_execution_time 30
memory_limit 256M
mysql
MySQL Support enabled
Active Persistent Links 1
Active Links 1
Client API version 5.1.73
MYSQL_MODULE_TYPE external
MYSQL_SOCKET /var/lib/mysql/mysql.sock
MYSQL_INCLUDE -I/usr/include/mysql
MYSQL_LIBS -L/usr/lib64/mysql -lmysqlclient

Directive Local Value Master Value
mysql.allow_local_infile On On
mysql.allow_persistent On On
mysql.connect_timeout 60 60
mysql.default_host no value no value
mysql.default_password no value no value
mysql.default_port no value no value
mysql.default_socket /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock
mysql.default_user no value no value
mysql.max_links Unlimited Unlimited
mysql.max_persistent Unlimited Unlimited
mysql.trace_mode Off Off
mysqli
MysqlI Support enabled
Client API library version 5.1.73
Active Persistent Links 0
Inactive Persistent Links 0
Active Links 0
Client API header version 5.1.73
MYSQLI_SOCKET /var/lib/mysql/mysql.sock

Directive Local Value Master Value
mysqli.allow_local_infile On On
mysqli.allow_persistent On On
mysqli.default_host no value no value
mysqli.default_port 3306 3306
mysqli.default_pw no value no value
mysqli.default_socket no value no value
mysqli.default_user no value no value
mysqli.max_links Unlimited Unlimited
mysqli.max_persistent Unlimited Unlimited
mysqli.reconnect Off Off

_________________
---------
The Glue Guy


Last edited by GlueGuy on Fri Nov 20, 2015 2:31 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Thu Nov 19, 2015 2:13 am 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 5093
Location: United Kingdom
Just to close the loop, this change worked for me!

_________________
Weathermap 0.98 is out! & QuickTree 0.2. Superlinks is over there now.
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Fri Nov 20, 2015 6:59 pm 
Offline
Cacti User
User avatar

Joined: Fri Nov 04, 2005 3:37 pm
Posts: 229
Location: Ca US
Howie wrote:
Just to close the loop, this change worked for me!
That didn't work for me. I think the problem is the way the components (CentOS, php, and mysql) have changed in later revisions.

On my system (CentOS 6.7, php 5.3.3, and mysql 5.1.73), it turns out that the $_POST automatically fixes the outer quotes. So I just removed sql_sanitize() everywhere it occurred. Unfortunately, that broke embedded single quotes (and other characters) that were within a text field (e.g. ' became \' ).

What I discovered turned out to be relatively simple. I just replaced "sql_sanitize()" with "stripslashes()" wherever it occurred. For example, the following line
Code:
$save['name']                   = sql_sanitize(form_input_validate($_POST['name'], 'name', '', false, 3));
became
Code:
$save['name']                   = stripslashes(form_input_validate($_POST['name'], 'name', '', false, 3));
stripslashes is a built-in php function.

_________________
---------
The Glue Guy


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Fri Nov 20, 2015 7:26 pm 
Offline

Joined: Fri Sep 14, 2012 6:57 pm
Posts: 10
My install was CentOS 7.

The old sanitize function seemed to work fine so I just stuck with that but I didn't want to modify the core Cacti code so that's why I just tweaked the Nectar code. It'll make upgrading Cacti easier down the road.


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Fri Nov 20, 2015 7:31 pm 
Offline
Cacti User
User avatar

Joined: Fri Nov 04, 2005 3:37 pm
Posts: 229
Location: Ca US
tbilan wrote:
My install was CentOS 7.

The old sanitize function seemed to work fine so I just stuck with that but I didn't want to modify the core Cacti code so that's why I just tweaked the Nectar code. It'll make upgrading Cacti easier down the road.
It might be different on CentOS 7? Dunno. I tried several ways to deal with it in "just" sql_sanitize(), but nothing seemed to work. Perhaps I should have just stuck stripslashes() in as an alias for sql_sanitize()?

_________________
---------
The Glue Guy


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Thu Dec 03, 2015 9:02 am 
Offline
Cacti User

Joined: Thu Jan 07, 2010 10:33 am
Posts: 119
This is fixed in 0.8.8g rev 7768


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Mon Dec 07, 2015 2:19 am 
Offline
Cacti Guru User
User avatar

Joined: Thu Jan 31, 2008 6:39 am
Posts: 2573
Location: Kressbronn, Germany
GlueGuy, this may just be the "magic quotes" setting in php ( http://php.net/manual/de/security.magicquotes.php ) . It's deprecated in 5.3 and removed in 5.4, but was doing automatic quoting of strings.

_________________
Greetings,
Phalek
---
Need more help ? Read the Cacti documentation or my new Cacti Book
Need on-site support ? Look here Cacti Workshop
Need professional Cacti support ? Look here CereusService
---
Plugins : CereusTransporter | CereusReporting | nmidWebService | nmidSmokeping | nmidWeb2 |

Code:
CereusServer Master:  SYSTEM STATS: Time:2.5621 Method:spine Processes:1 Threads:16 Hosts:446 HostsPerProcess:446 DataSources:14683 RRDsProcessed:7573
CereusServer Agent:   SYSTEM STATS: Time:27.4840 Method:spine Processes:1 Threads:8 Hosts:16 HostsPerProcess:16 DataSources:114576 RRDsProcessed:48061


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Mon Dec 07, 2015 11:57 am 
Offline
Cacti User
User avatar

Joined: Fri Nov 04, 2005 3:37 pm
Posts: 229
Location: Ca US
phalek wrote:
GlueGuy, this may just be the "magic quotes" setting in php ( http://php.net/manual/de/security.magicquotes.php ) . It's deprecated in 5.3 and removed in 5.4, but was doing automatic quoting of strings.
I checked that, and magic quotes are all turned off in the php.ini.

I understand that this is fixed in 0.8.8g. I've looked at the SVN, and it appears that the function of sql_sanitize() has gone back to the previous implementation. However, there are other changes as well. I guess we'll see when 0.8.8g comes out.

In the mean time, I've got it working on our cacti system by replacing sql_sanitize() with stripslashes().

_________________
---------
The Glue Guy


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Fri Sep 02, 2016 8:47 am 
Offline

Joined: Fri Sep 02, 2016 8:44 am
Posts: 6
I'm running Cacti 0.8.8f and tbilan's instructions worked for me, editing only the nectar_webapi.php


Top
 Profile  
 
 Post subject: Re: Nectar - runaway escaping of strings?
PostPosted: Fri Dec 30, 2016 11:28 am 
Offline

Joined: Wed Oct 13, 2010 4:53 am
Posts: 6
mini4mw2 wrote:
I'm running Cacti 0.8.8f and tbilan's instructions worked for me, editing only the nectar_webapi.php


Likewise. Thanks tbilan !

Leo

_________________
You'll have to pay me to use Windows


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group