Nectar - runaway escaping of strings?

General discussion about Plugins for Cacti

Moderators: Moderators, Developers

Post Reply
Author
Message
User avatar
Howie
Cacti Guru User
Posts: 5348
Joined: Thu Sep 16, 2004 5:53 am
Location: United Kingdom
Contact:

Nectar - runaway escaping of strings?

#1 Post by Howie » Thu Oct 22, 2015 8:58 am

My Cacti installation has recently (maybe since the last upgrade) developed a new problem - every time I make a change to a Nectar report, all the strings are wrapped in single quotes (''). Then, if there are single quotes, they are wrapped with backslashes. Then the backslashes are wrapped in quotes...

So I have strange report titles like this:

Code: Select all

'\\\'XX Monthly WAN Report\\\''
And it does the same with the e-mail addresses, which is obviously a bigger problem!

Any suggestions? This smells like part of Cacti's anti-XSS stuff going wrong.

Nectar 0.35a, Cacti 0.8.8e
Weathermap 0.98 is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)

tbilan
Posts: 15
Joined: Fri Sep 14, 2012 6:57 pm

Re: Nectar - runaway escaping of strings?

#2 Post by tbilan » Mon Oct 26, 2015 10:58 am

I just built a fresh server with .8.8f and experienced the same problem.

The issue is that the ./lib/database.php changed the sql_sanitize function from:

function sql_sanitize($value) {
$value = str_replace(";", "\;", $value);
return $value;
}

to

function sql_sanitize($value) {
global $cnn_id;
$value = $cnn_id->qstr($value);
return $value;
}

As a quick fix I edited the plugins/nectar/nectar_webap.php and added the old code as:
function sql_sanitizeold($value) {
$value = str_replace(";", "\;", $value);
return $value;
}

I then did a find/replace for sql_sanitize and changed it to sql_sanitizeold.

I'm not sure if the long-term fix is a change to the database.php code or to the nectar plugin. I'll let the powers that be sort that out.

Hope this helps.

Thanks,
Tom

User avatar
Howie
Cacti Guru User
Posts: 5348
Joined: Thu Sep 16, 2004 5:53 am
Location: United Kingdom
Contact:

Re: Nectar - runaway escaping of strings?

#3 Post by Howie » Fri Nov 06, 2015 11:56 am

Thanks Tom!

I think I have missed a bit here - you replaced the function, and then changed all the calls to it to point to the old one? So what calls the new function?
Weathermap 0.98 is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)

User avatar
Howie
Cacti Guru User
Posts: 5348
Joined: Thu Sep 16, 2004 5:53 am
Location: United Kingdom
Contact:

Re: Nectar - runaway escaping of strings?

#4 Post by Howie » Fri Nov 06, 2015 12:18 pm

Sorry - I follow now. *Cacti* changed the function, you put the old version back and switched nectar to using it. That makes much more sense :-)
Weathermap 0.98 is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)

User avatar
GlueGuy
Cacti User
Posts: 255
Joined: Fri Nov 04, 2005 3:37 pm
Location: Ca US
Contact:

Re: Nectar - runaway escaping of strings?

#5 Post by GlueGuy » Wed Nov 18, 2015 9:27 pm

Didn't work for me.

Something changed, and it may be os/php/mysql related (don't know, just speculating here).

FWIW, I have:
General Information
Date Fri, 20 Nov 2015 11:23:23 -0800
Cacti Version 0.8.8f
Cacti OS unix
SNMP Version NET-SNMP version: 5.5
RRDTool Version RRDTool 1.3.x
Hosts 504
Graphs 4989
Data Sources Script/Command: 848
SNMP: 4501
SNMP Query: 1122
Script Query: 135
Script - Script Server (PHP): 21
Total: 6627
Poller Information
Interval 300
Type SPINE 0.8.8f Copyright 2002-2015 by The Cacti Group
Items Action[0]: 6006
Action[1]: 674
Action[2]: 19
Total: 6699
Concurrent Processes 1
Max Threads 16
PHP Servers 1
Script Timeout 2
Max OID 10
Last Run Statistics Time:41.5721 Method:spine Processes:1 Threads:16 Hosts:481 HostsPerProcess:481 DataSources:6699 RRDsProcessed:5483
PHP Information
PHP Version 5.3.3
PHP OS Linux
PHP uname Linux localhost 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64
PHP SNMP Installed
max_execution_time 30
memory_limit 256M
mysql
MySQL Support enabled
Active Persistent Links 1
Active Links 1
Client API version 5.1.73
MYSQL_MODULE_TYPE external
MYSQL_SOCKET /var/lib/mysql/mysql.sock
MYSQL_INCLUDE -I/usr/include/mysql
MYSQL_LIBS -L/usr/lib64/mysql -lmysqlclient

Directive Local Value Master Value
mysql.allow_local_infile On On
mysql.allow_persistent On On
mysql.connect_timeout 60 60
mysql.default_host no value no value
mysql.default_password no value no value
mysql.default_port no value no value
mysql.default_socket /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock
mysql.default_user no value no value
mysql.max_links Unlimited Unlimited
mysql.max_persistent Unlimited Unlimited
mysql.trace_mode Off Off
mysqli
MysqlI Support enabled
Client API library version 5.1.73
Active Persistent Links 0
Inactive Persistent Links 0
Active Links 0
Client API header version 5.1.73
MYSQLI_SOCKET /var/lib/mysql/mysql.sock

Directive Local Value Master Value
mysqli.allow_local_infile On On
mysqli.allow_persistent On On
mysqli.default_host no value no value
mysqli.default_port 3306 3306
mysqli.default_pw no value no value
mysqli.default_socket no value no value
mysqli.default_user no value no value
mysqli.max_links Unlimited Unlimited
mysqli.max_persistent Unlimited Unlimited
mysqli.reconnect Off Off
Last edited by GlueGuy on Fri Nov 20, 2015 2:31 pm, edited 1 time in total.
---------
The Glue Guy

User avatar
Howie
Cacti Guru User
Posts: 5348
Joined: Thu Sep 16, 2004 5:53 am
Location: United Kingdom
Contact:

Re: Nectar - runaway escaping of strings?

#6 Post by Howie » Thu Nov 19, 2015 2:13 am

Just to close the loop, this change worked for me!
Weathermap 0.98 is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)

User avatar
GlueGuy
Cacti User
Posts: 255
Joined: Fri Nov 04, 2005 3:37 pm
Location: Ca US
Contact:

Re: Nectar - runaway escaping of strings?

#7 Post by GlueGuy » Fri Nov 20, 2015 6:59 pm

Howie wrote:Just to close the loop, this change worked for me!
That didn't work for me. I think the problem is the way the components (CentOS, php, and mysql) have changed in later revisions.

On my system (CentOS 6.7, php 5.3.3, and mysql 5.1.73), it turns out that the $_POST automatically fixes the outer quotes. So I just removed sql_sanitize() everywhere it occurred. Unfortunately, that broke embedded single quotes (and other characters) that were within a text field (e.g. ' became \' ).

What I discovered turned out to be relatively simple. I just replaced "sql_sanitize()" with "stripslashes()" wherever it occurred. For example, the following line

Code: Select all

$save['name']                   = sql_sanitize(form_input_validate($_POST['name'], 'name', '', false, 3));
became

Code: Select all

$save['name']                   = stripslashes(form_input_validate($_POST['name'], 'name', '', false, 3));
stripslashes is a built-in php function.
---------
The Glue Guy

tbilan
Posts: 15
Joined: Fri Sep 14, 2012 6:57 pm

Re: Nectar - runaway escaping of strings?

#8 Post by tbilan » Fri Nov 20, 2015 7:26 pm

My install was CentOS 7.

The old sanitize function seemed to work fine so I just stuck with that but I didn't want to modify the core Cacti code so that's why I just tweaked the Nectar code. It'll make upgrading Cacti easier down the road.

User avatar
GlueGuy
Cacti User
Posts: 255
Joined: Fri Nov 04, 2005 3:37 pm
Location: Ca US
Contact:

Re: Nectar - runaway escaping of strings?

#9 Post by GlueGuy » Fri Nov 20, 2015 7:31 pm

tbilan wrote:My install was CentOS 7.

The old sanitize function seemed to work fine so I just stuck with that but I didn't want to modify the core Cacti code so that's why I just tweaked the Nectar code. It'll make upgrading Cacti easier down the road.
It might be different on CentOS 7? Dunno. I tried several ways to deal with it in "just" sql_sanitize(), but nothing seemed to work. Perhaps I should have just stuck stripslashes() in as an alias for sql_sanitize()?
---------
The Glue Guy

MrRat
Cacti User
Posts: 128
Joined: Thu Jan 07, 2010 10:33 am

Re: Nectar - runaway escaping of strings?

#10 Post by MrRat » Thu Dec 03, 2015 9:02 am

This is fixed in 0.8.8g rev 7768

User avatar
phalek
Cacti Guru User
Posts: 2725
Joined: Thu Jan 31, 2008 6:39 am
Location: Kressbronn, Germany
Contact:

Re: Nectar - runaway escaping of strings?

#11 Post by phalek » Mon Dec 07, 2015 2:19 am

GlueGuy, this may just be the "magic quotes" setting in php ( http://php.net/manual/de/security.magicquotes.php ) . It's deprecated in 5.3 and removed in 5.4, but was doing automatic quoting of strings.
Greetings,
Phalek
---
Need more help ? Read the Cacti documentation or my new Cacti 1.x Book
Need on-site support ? Look here Cacti Workshop
Need professional Cacti support ? Look here CereusService
---
Plugins : CereusTransporter | CereusReporting | nmidWebService | nmidSmokeping | nmidWeb2 |

Code: Select all

CereusServer Master:  SYSTEM STATS: Time:2.5621 Method:spine Processes:1 Threads:16 Hosts:446 HostsPerProcess:446 DataSources:14683 RRDsProcessed:7573
CereusServer Agent:   SYSTEM STATS: Time:27.4840 Method:spine Processes:1 Threads:8 Hosts:16 HostsPerProcess:16 DataSources:114576 RRDsProcessed:48061
[/size]

User avatar
GlueGuy
Cacti User
Posts: 255
Joined: Fri Nov 04, 2005 3:37 pm
Location: Ca US
Contact:

Re: Nectar - runaway escaping of strings?

#12 Post by GlueGuy » Mon Dec 07, 2015 11:57 am

phalek wrote:GlueGuy, this may just be the "magic quotes" setting in php ( http://php.net/manual/de/security.magicquotes.php ) . It's deprecated in 5.3 and removed in 5.4, but was doing automatic quoting of strings.
I checked that, and magic quotes are all turned off in the php.ini.

I understand that this is fixed in 0.8.8g. I've looked at the SVN, and it appears that the function of sql_sanitize() has gone back to the previous implementation. However, there are other changes as well. I guess we'll see when 0.8.8g comes out.

In the mean time, I've got it working on our cacti system by replacing sql_sanitize() with stripslashes().
---------
The Glue Guy

mini4mw2
Posts: 18
Joined: Fri Sep 02, 2016 8:44 am

Re: Nectar - runaway escaping of strings?

#13 Post by mini4mw2 » Fri Sep 02, 2016 8:47 am

I'm running Cacti 0.8.8f and tbilan's instructions worked for me, editing only the nectar_webapi.php

Gluntzmaster
Posts: 8
Joined: Wed Oct 13, 2010 4:53 am

Re: Nectar - runaway escaping of strings?

#14 Post by Gluntzmaster » Fri Dec 30, 2016 11:28 am

mini4mw2 wrote:I'm running Cacti 0.8.8f and tbilan's instructions worked for me, editing only the nectar_webapi.php
Likewise. Thanks tbilan !

Leo
You'll have to pay me to use Windows

Post Reply