Script with UNC Path adds two backslashes to pollers cache

[canislupus]

Hi,
Today I tried a first update from V0.8.8a to V0.8.8b (using cmd poller). Now I have a problem with my Script/command using UNC Path (data is located on remote server!) starting with double backslashes (\\):
Current Input String within Data Input Methods:

Code: Select all

cscript.exe <path_cacti>/scripts/wmi/wmi_read_memory_V10.vbs //Nologo //T:20 \\cactilogserver/wmi$/log/cacti/test/<hostname>_wmi.log get MemoryTotal,MemoryUsed,MemoryFree

When I now rebuild the Poller Cache, Cacti will add automatically two new backslashes in the poller Cache to the UNC Path ([\\remoteserver/wmi$] turns to [\\\\remoteserver/wmi$]):

Code: Select all

Script: cscript.exe E:/Cacti/cacti/test/scripts/wmi/wmi_read_cpu_V10.vbs //Nologo //T:20 \\\\cactilogserver/wmi$/log/cacti/test/defrsrv722_wmi.log get CPU0,CPU1,CPU2,CPU3,CPU4,CPU5,CPU6,CPU7,CPUTotal  
 RRD: E:\Cacti\cacti\test\rra\defrsrv722_-_w2k8_r2_vm_cpu0_2775.rrd 

The result after rebuilding the poller cache is of course no more data!

Update 04.09.2013:
Problem seems to be the "rebuild of the poller cache". Each defined Input String form the Data Input Methods or Data Queries that contains a backslash (\) turns twice after a poller cache rebuild! That's new in version 0.8.8b.
In my opinion it's a bug!

Update 06.09.2013:
Found a new bug within [Data Queries] and Rebuilding Poller Cache function.
In my XML-file in section <script_path> I have only defined slashes (/) for the folder path:

Code: Select all

<interface>
	<name>Get physik. Disk Info</name>
	<description>Queries the Win32_PerfRawData_PerfDisk_LogicalDisk class of a W32 host using WMI.</description>
	<script_path>cscript.exe |path_cacti|/scripts/wmi/wmi_read_hdd_V10.vbs</script_path>
	<arg_prepend>//NOLOGO //T:20 \\cactiserver.mydomain.com/wmi$/log/cacti/test/|host_hostname|_wmi.log</arg_prepend>
	<arg_index>index</arg_index>

The result in my poller cache after rebuilig it shows the following and not working anymore detail:
a) all single slashes from the xml-file turns to a double backslash for the executable script
b) all double backslashes (necessary to connect to remote server) turns into four backslashes
(Details from [View poller Cache]):

Code: Select all

Script: cscript.exe E:\\Cacti\\cacti\\test\\scripts\\wmi\\wmi_read_hdd_V10.vbs //NOLOGO //T:20 \\\\defrwft032dws86.sbc.dws.eur.deuba.com/wmi$/log/cacti/test/defrvat722dws36_wmi.log get freembytes C: 

Any idea?

Windows 2008 R2
Apache 2.2.21 (WIN32)
PHP 5.2.17
MYSQL 5.5.20 (X64)
cmd.php poller

[jimboutit]

I have a similar problem. I have a cacti executing a WMI query and it is escaping each single quote ' with a backslash. The result is invalid. This behavior did not exist in version .8.8a

Example:
Script/Command Input String
/usr/bin/php -q <path_cacti>/scripts/wmi.php -h '<host>' -u '<credential>' -w '<class>' -n '<namespace>' -k '<filter>' -v '<filterval>' -c '<columns>'
Poller Cache
Script: /usr/bin/php -q /usr/share/cacti/scripts/wmi.php -h \'172.27.0.231\' -u \'/etc/cacti/wmi.pw\' -w \'Win32_PerfFormattedData_PerfOS_Processor\' -n \'\' -k \'Name\' -v \'_Total\' -c \'PercentProcessorTime\'

I checked in the Cacti database, and the string in input_string in table data_input does not contain the escaped string, so I'm guessing they are being added on the fly.

[paulgevers]

Please have a look at my message of 07 Sep 2013 09:18 in this other forum thread and see if it helps understanding the problem and possible solution.

[canislupus]

Hi paulgevers,

I adjusted the utilty.php as described in your post, but it doesn't solved the problem.

[paulgevers]

I adjusted the utilty.php as described in your post, but it doesn't solved the problem.

Did you rebuild the poller cache? Else I completely misunderstood the issue.

[canislupus]

Yes of course,
1st try was to rebuild the poller cache after adjusting the utility.php
And
2nd try was to truncate the poller item table within the mysql database and to rebuild it again
but the result for both was unsuccessful!
Is there anything else to pay attention to?

[izydorczyk]

SemiSolution, or rather adaptation: (To simplify multiple repair records.)

Code: Select all

UPDATE poller_item SET arg1=REPLACE(arg1, "\'", "'") WHERE `arg1` LIKE "%\\'%"

Manual editing records in a table via Webmin Mysql Manager or PHPMyAdmin is terrible.

[jftuga]

I am having similar issues and will try some of these suggestions. I am planning on reporting back what works for me.

-John

[izydorczyk]

Perhaps this bug fix in the next version.

[jftuga]

SemiSolution, or rather adaptation: (To simplify multiple repair records.)

Code: Select all

UPDATE poller_item SET arg1=REPLACE(arg1, "\'", "'") WHERE `arg1` LIKE "%\\'%"

Manual editing records in a table via Webmin Mysql Manager or PHPMyAdmin is terrible.

I fixed this by adding 2 backslashes in the replace() function instead of just 1. However, rebuilding the poller cache seems to undo these changes. How can I prevent this?

Thanks,
-John

[paulgevers]

So far, I have confirmed that my "fix" above doesn't do anything.

Furthermore, while I think about it, the behavior described in this thread really seems this is the intended behavior if you want to prevent command injection. So if you really want the old behavior, you can just revert back to 0.8.8a (the main difference between a and b was this security fix).

I am afraid that the devs of cacti have (at least) the following options, without any nice one:

1. Leave as is now in 0.8.8b and uses will have to get their scripts smart enough to cope with this issue
2. Revert the security improvements as currently the cacti user has very much rights already (although I can not oversee a situation where different users have different rights and the admin wants to prevent command code injection by users that otherwise don't have those rights)
3. Write additional code to prevent command line injection by and only prevent unmatched quotes.
4. Write additional code to remove escaping of matched quotes within the sanitized strings

One problem that I see is that the code was meant to be generic (good software design) but now in SOME instances you want different behavior. That is always a pain.

I would like to hear the opinion of a cacti dev. I can help with the solution, but I want to know the direction.

[gandalf]

I am afraid that the devs of cacti have (at least) the following options, without any nice one:

1. Leave as is now in 0.8.8b and uses will have to get their scripts smart enough to cope with this issue
2. Revert the security improvements as currently the cacti user has very much rights already (although I can not oversee a situation where different users have different rights and the admin wants to prevent command code injection by users that otherwise don't have those rights)
3. Write additional code to prevent command line injection by and only prevent unmatched quotes.
4. Write additional code to remove escaping of matched quotes within the sanitized strings

Paul, I fear that you're quite right. I was searching back and forth to solve this, but I'm back were you are already. As a plus, php parameter "magic_quotes_*" have been changed lately. This may complicate issues more.

An approach is, to _initially_ quote everything that goes into database, but from "user interaction" only.
When fetching data from db without passing them via GET/POST (bad, bad design - no stateful information passing), no escaping should be performed. Analyzing this is a pain in the ass. Each GET/POST can be intercepted ...

In case you have a more generic approach, I'm open for it. And thanks for your constant contributions
R.

[jimboutit]

Is there any way to revert this behavior without downgrading?

[paulgevers]

Is there any way to revert this behavior without downgrading?

Well, comment 0006535 in bug 2390 is suggesting a solution, but I have not tested or verified it.

[jackie]

Has anyone tested reverting this behavior? We are running into this problem as well, and would like a "fix".

Thanks,
Jackie