Your message dated Sun, 6 May 2012 09:20:29 +0200
with message-id <20120506072029.ga8...@smithers.snow-crash.org>
and subject line Re: Bug#641684: Quote character not escaped correctly for
Postgresql
has caused the Debian Bug report #641684,
regarding Quote character not escaped correctly for Postgresql
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
641684: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641684
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: icinga-idoutils
Version: 1.5.1-1
Severity: normal
IDO utils is incorrectly escaping characters such as ' for postgresql.
>From the postgresql logs (running 9.1):
2011-09-15 17:12:18 EST ERROR: syntax error at or near "5" at character 184
2011-09-15 17:12:18 EST STATEMENT: UPDATE icinga_servicestatus SET
instance_id=1, service_object_id=201,
status_update_time=FROM_UNIXTIME(1316070738), output='CPU Load 22% (5
min average)', long_output='', perfdata='\'5 min avg
Load\'=22%;80;90;0;100', current_state=0, has_been_checked=1,
should_be_scheduled=1, current_check_attempt=1, max_check_attempts=4,
last_check=FROM_UNIXTIME(1316070728),
next_check=FROM_UNIXTIME(1316071028), check_type=0,
last_state_change=FROM_UNIXTIME(1315926986),
last_hard_state_change=FROM_UNIXTIME(1315816267), last_hard_state=0,
last_time_ok=FROM_UNIXTIME(1316070728),
last_time_warning=FROM_UNIXTIME(1315926926),
last_time_unknown=FROM_UNIXTIME(0),
last_time_critical=FROM_UNIXTIME(1315815967), state_type=1,
last_notification=FROM_UNIXTIME(0),
next_notification=FROM_UNIXTIME(0), no_more_notifications=0,
notifications_enabled=1, problem_has_been_acknowledged=0,
acknowledgement_type=0, current_notification_number=0,
passive_checks_enabled=1, active_checks_enabled=1,
event_handler_enabled=1, flap_detection_enabled=1, is_flapping=0,
percent_state_change='0.000000', latency='0.816000',
execution_time='0.190820', scheduled_downtime_depth=0,
failure_prediction_enabled=1, process_performance_data=1,
obsess_over_service=1, modified_service_attributes=0,
event_handler='', check_command='my_check_nt!CPULOAD!-l 5,80,90',
normal_check_interval='5.000000', retry_check_interval='1.000000',
check_timeperiod_object_id=174 WHERE service_object_id=201
Running the command manually, sanitized and a few minutes after the logged run:
> /usr/lib/nagios/plugins/check_nt -H ###.###.###.### -v CPULOAD -l 5,80,90 -s
> XXXX -p 12489
CPU Load 21% (5 min average) | '5 min avg Load'=21%;80;90;0;100
Browsing the source it looks like escaping is done in db.c:2335
ido2db_db_escape_string() by adding a \ in front of a ' character.
Which is causing the problems, I believe postgresql wants a '' instead
of a \'.
It should however be done properly using libpq's PQescapeLiteral. It
also protects against multibyte SQL injection attacks that the
previous method doesn't. Chris Shiflett did a decent writeup of this
problem several years ago [1], the vulnerability looks to extend to
all the databases in use.
[1]:
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
David
-- System Information:
Debian Release: wheezy/sid
APT prefers stable
APT policy: (800, 'stable'), (750, 'testing'), (600, 'unstable'),
(500, 'oldstable'), (150, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.39+ (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages icinga-idoutils depends on:
ii dbconfig-common 1.8.47 common framework for packaging dat
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii icinga-common 1.5.1-1 host and network monitoring system
ii libc6 2.13-18 Embedded GNU C Library: Shared lib
ii libdbd-mysql 0.8.3-1+s-2.1 MySQL database server driver for l
ii libdbd-pgsql 0.8.3-1+s-2.1 PostgreSQL database server driver
ii libdbi1 0.8.4-5.1 DB Independent Abstraction Layer f
ii lsb-base 3.2-28 Linux Standard Base 3.2 init scrip
ii ucf 3.0025+nmu2 Update Configuration File: preserv
Versions of packages icinga-idoutils recommends:
ii mysql-client-5.1 [mysql-clien 5.1.49-3 MySQL database client binaries
ii postgresql-client 9.1+121 front-end programs for PostgreSQL
ii postgresql-client-9.0 [postgr 9.0.4-2 front-end programs for PostgreSQL
ii postgresql-client-9.1 [postgr 9.1~rc1-3 front-end programs for PostgreSQL
icinga-idoutils suggests no packages.
-- debconf information:
icinga-idoutils/dbconfig-upgrade: true
icinga-idoutils/mysql/method: unix socket
icinga-idoutils/db/dbname: icinga
icinga-idoutils/dbconfig-remove:
icinga-idoutils/missing-db-package-error: abort
icinga-idoutils/install-error: retry
icinga-idoutils/pgsql/authmethod-admin: ident
icinga-idoutils/pgsql/admin-user: postgres
icinga-idoutils/internal/reconfiguring: false
icinga-idoutils/purge: false
icinga-idoutils/pgsql/changeconf: false
icinga-idoutils/db/basepath:
icinga-idoutils/database-type: pgsql
icinga-idoutils/upgrade-error: abort
icinga-idoutils/pgsql/method: unix socket
icinga-idoutils/remote/port:
icinga-idoutils/internal/skip-preseed: true
icinga-idoutils/dbconfig-reinstall: false
icinga-idoutils/upgrade-backup: true
icinga-idoutils/remove-error: abort
* icinga-idoutils/dbconfig-install: false
icinga-idoutils/pgsql/manualconf:
icinga-idoutils/passwords-do-not-match:
icinga-idoutils/pgsql/authmethod-user: password
icinga-idoutils/pgsql/no-empty-passwords:
icinga-idoutils/db/app-user: icingaidoutils
icinga-idoutils/remote/host:
icinga-idoutils/mysql/admin-user: root
icinga-idoutils/remote/newhost:
--- End Message ---
--- Begin Message ---
David Tulloh schrieb am Thursday, den 15. September 2011:
> Package: icinga-idoutils
> Version: 1.5.1-1
> Severity: normal
>
> IDO utils is incorrectly escaping characters such as ' for postgresql.
>
> >From the postgresql logs (running 9.1):
> 2011-09-15 17:12:18 EST ERROR: syntax error at or near "5" at character 184
> 2011-09-15 17:12:18 EST STATEMENT: UPDATE icinga_servicestatus SET
> instance_id=1, service_object_id=201,
> status_update_time=FROM_UNIXTIME(1316070738), output='CPU Load 22% (5
> min average)', long_output='', perfdata='\'5 min avg
> Load\'=22%;80;90;0;100', current_state=0, has_been_checked=1,
> should_be_scheduled=1, current_check_attempt=1, max_check_attempts=4,
> last_check=FROM_UNIXTIME(1316070728),
> next_check=FROM_UNIXTIME(1316071028), check_type=0,
> last_state_change=FROM_UNIXTIME(1315926986),
> last_hard_state_change=FROM_UNIXTIME(1315816267), last_hard_state=0,
> last_time_ok=FROM_UNIXTIME(1316070728),
> last_time_warning=FROM_UNIXTIME(1315926926),
> last_time_unknown=FROM_UNIXTIME(0),
> last_time_critical=FROM_UNIXTIME(1315815967), state_type=1,
> last_notification=FROM_UNIXTIME(0),
> next_notification=FROM_UNIXTIME(0), no_more_notifications=0,
> notifications_enabled=1, problem_has_been_acknowledged=0,
> acknowledgement_type=0, current_notification_number=0,
> passive_checks_enabled=1, active_checks_enabled=1,
> event_handler_enabled=1, flap_detection_enabled=1, is_flapping=0,
> percent_state_change='0.000000', latency='0.816000',
> execution_time='0.190820', scheduled_downtime_depth=0,
> failure_prediction_enabled=1, process_performance_data=1,
> obsess_over_service=1, modified_service_attributes=0,
> event_handler='', check_command='my_check_nt!CPULOAD!-l 5,80,90',
> normal_check_interval='5.000000', retry_check_interval='1.000000',
> check_timeperiod_object_id=174 WHERE service_object_id=201
>
> Running the command manually, sanitized and a few minutes after the logged
> run:
> > /usr/lib/nagios/plugins/check_nt -H ###.###.###.### -v CPULOAD -l 5,80,90
> > -s XXXX -p 12489
> CPU Load 21% (5 min average) | '5 min avg Load'=21%;80;90;0;100
>
> Browsing the source it looks like escaping is done in db.c:2335
> ido2db_db_escape_string() by adding a \ in front of a ' character.
> Which is causing the problems, I believe postgresql wants a '' instead
> of a \'.
>
> It should however be done properly using libpq's PQescapeLiteral. It
> also protects against multibyte SQL injection attacks that the
> previous method doesn't. Chris Shiflett did a decent writeup of this
> problem several years ago [1], the vulnerability looks to extend to
> all the databases in use.
>
> [1]:
> http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
This bug will be finally fixed in 1.7.0, but with my last upload I created a
workaround. Therefore I close this bug now. If you find other postgresql
related problems, please come back.
Thanks
Alex
--- End Message ---