Nectar - runaway escaping of strings?

[Howie]

My Cacti installation has recently (maybe since the last upgrade) developed a new problem - every time I make a change to a Nectar report, all the strings are wrapped in single quotes (''). Then, if there are single quotes, they are wrapped with backslashes. Then the backslashes are wrapped in quotes...

So I have strange report titles like this:

Code: Select all

'\\\'XX Monthly WAN Report\\\''

And it does the same with the e-mail addresses, which is obviously a bigger problem!

Any suggestions? This smells like part of Cacti's anti-XSS stuff going wrong.

Nectar 0.35a, Cacti 0.8.8e

[tbilan]

I just built a fresh server with .8.8f and experienced the same problem.

The issue is that the ./lib/database.php changed the sql_sanitize function from:

function sql_sanitize($value) {
$value = str_replace(";", "\;", $value);
return $value;
}

to

function sql_sanitize($value) {
global $cnn_id;
$value = $cnn_id->qstr($value);
return $value;
}

As a quick fix I edited the plugins/nectar/nectar_webap.php and added the old code as:
function sql_sanitizeold($value) {
$value = str_replace(";", "\;", $value);
return $value;
}

I then did a find/replace for sql_sanitize and changed it to sql_sanitizeold.

I'm not sure if the long-term fix is a change to the database.php code or to the nectar plugin. I'll let the powers that be sort that out.

Hope this helps.

Thanks,
Tom

[Howie]

Thanks Tom!

I think I have missed a bit here - you replaced the function, and then changed all the calls to it to point to the old one? So what calls the new function?

[Howie]

Sorry - I follow now. *Cacti* changed the function, you put the old version back and switched nectar to using it. That makes much more sense

[GlueGuy]

Didn't work for me.

Something changed, and it may be os/php/mysql related (don't know, just speculating here).

FWIW, I have:

General Information
Date Fri, 20 Nov 2015 11:23:23 -0800
Cacti Version 0.8.8f
Cacti OS unix
SNMP Version NET-SNMP version: 5.5
RRDTool Version RRDTool 1.3.x
Hosts 504
Graphs 4989
Data Sources Script/Command: 848
SNMP: 4501
SNMP Query: 1122
Script Query: 135
Script - Script Server (PHP): 21
Total: 6627
Poller Information
Interval 300
Type SPINE 0.8.8f Copyright 2002-2015 by The Cacti Group
Items Action[0]: 6006
Action[1]: 674
Action[2]: 19
Total: 6699
Concurrent Processes 1
Max Threads 16
PHP Servers 1
Script Timeout 2
Max OID 10
Last Run Statistics Time:41.5721 Method:spine Processes:1 Threads:16 Hosts:481 HostsPerProcess:481 DataSources:6699 RRDsProcessed:5483
PHP Information
PHP Version 5.3.3
PHP OS Linux
PHP uname Linux localhost 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64
PHP SNMP Installed
max_execution_time 30
memory_limit 256M
mysql
MySQL Support enabled
Active Persistent Links 1
Active Links 1
Client API version 5.1.73
MYSQL_MODULE_TYPE external
MYSQL_SOCKET /var/lib/mysql/mysql.sock
MYSQL_INCLUDE -I/usr/include/mysql
MYSQL_LIBS -L/usr/lib64/mysql -lmysqlclient

Directive Local Value Master Value
mysql.allow_local_infile On On
mysql.allow_persistent On On
mysql.connect_timeout 60 60
mysql.default_host no value no value
mysql.default_password no value no value
mysql.default_port no value no value
mysql.default_socket /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock
mysql.default_user no value no value
mysql.max_links Unlimited Unlimited
mysql.max_persistent Unlimited Unlimited
mysql.trace_mode Off Off
mysqli
MysqlI Support enabled
Client API library version 5.1.73
Active Persistent Links 0
Inactive Persistent Links 0
Active Links 0
Client API header version 5.1.73
MYSQLI_SOCKET /var/lib/mysql/mysql.sock

Directive Local Value Master Value
mysqli.allow_local_infile On On
mysqli.allow_persistent On On
mysqli.default_host no value no value
mysqli.default_port 3306 3306
mysqli.default_pw no value no value
mysqli.default_socket no value no value
mysqli.default_user no value no value
mysqli.max_links Unlimited Unlimited
mysqli.max_persistent Unlimited Unlimited
mysqli.reconnect Off Off

[Howie]

Just to close the loop, this change worked for me!

[GlueGuy]

Just to close the loop, this change worked for me!

That didn't work for me. I think the problem is the way the components (CentOS, php, and mysql) have changed in later revisions.

On my system (CentOS 6.7, php 5.3.3, and mysql 5.1.73), it turns out that the $_POST automatically fixes the outer quotes. So I just removed sql_sanitize() everywhere it occurred. Unfortunately, that broke embedded single quotes (and other characters) that were within a text field (e.g. ' became \' ).

What I discovered turned out to be relatively simple. I just replaced "sql_sanitize()" with "stripslashes()" wherever it occurred. For example, the following line

Code: Select all

$save['name']                   = sql_sanitize(form_input_validate($_POST['name'], 'name', '', false, 3));

became

Code: Select all

$save['name']                   = stripslashes(form_input_validate($_POST['name'], 'name', '', false, 3));

stripslashes is a built-in php function.

[tbilan]

My install was CentOS 7.

The old sanitize function seemed to work fine so I just stuck with that but I didn't want to modify the core Cacti code so that's why I just tweaked the Nectar code. It'll make upgrading Cacti easier down the road.

[GlueGuy]

My install was CentOS 7.

The old sanitize function seemed to work fine so I just stuck with that but I didn't want to modify the core Cacti code so that's why I just tweaked the Nectar code. It'll make upgrading Cacti easier down the road.

It might be different on CentOS 7? Dunno. I tried several ways to deal with it in "just" sql_sanitize(), but nothing seemed to work. Perhaps I should have just stuck stripslashes() in as an alias for sql_sanitize()?

[MrRat]

This is fixed in 0.8.8g rev 7768

[phalek]

GlueGuy, this may just be the "magic quotes" setting in php ( http://php.net/manual/de/security.magicquotes.php ) . It's deprecated in 5.3 and removed in 5.4, but was doing automatic quoting of strings.

[GlueGuy]

GlueGuy, this may just be the "magic quotes" setting in php ( http://php.net/manual/de/security.magicquotes.php ) . It's deprecated in 5.3 and removed in 5.4, but was doing automatic quoting of strings.

I checked that, and magic quotes are all turned off in the php.ini.

I understand that this is fixed in 0.8.8g. I've looked at the SVN, and it appears that the function of sql_sanitize() has gone back to the previous implementation. However, there are other changes as well. I guess we'll see when 0.8.8g comes out.

In the mean time, I've got it working on our cacti system by replacing sql_sanitize() with stripslashes().

[mini4mw2]

I'm running Cacti 0.8.8f and tbilan's instructions worked for me, editing only the nectar_webapi.php

[Gluntzmaster]

I'm running Cacti 0.8.8f and tbilan's instructions worked for me, editing only the nectar_webapi.php

Likewise. Thanks tbilan !

Leo