Hi,
When receiving a malformed request, sent by Thruk for generating an
availability report based on a custom time period, livestatus broker
module crashes :
GET log
Columns: class time type state host_name service_description
plugin_output message contact_name command_name state_type
current_host_groups current_service_groups
Filter: time >= 0
Filter: time <=
And: 2
Filter: host_name = shinken
Filter: type = HOST ALERT
Filter: options ~ ;HARD;
Filter: type = INITIAL HOST STATE
Filter: options ~ ;HARD;
Filter: type = CURRENT HOST STATE
Filter: options ~ ;HARD;
Filter: type = HOST DOWNTIME ALERT
Or: 7
And: 2
Filter: host_name = shinken
Filter: type = SERVICE ALERT
Filter: options ~ ;HARD;
Filter: type = INITIAL SERVICE STATE
Filter: options ~ ;HARD;
Filter: type = CURRENT SERVICE STATE
Filter: options ~ ;HARD;
Filter: type = SERVICE DOWNTIME ALERT
Or: 7
And: 2
Filter: class = 2
Or: 3
OutputFormat: json
ResponseHeader: fixed16
This request is malformed (the second 'time' filter lacks a value, it
should be the current date & time), and the livestatus module crashes
when calling the int() converter on '' :
Traceback (most recent call last):
File "/usr/lib/python2.6/multiprocessing/process.py", line 232, in
_bootstrap
self.run()
File "/usr/lib/python2.6/multiprocessing/process.py", line 88, in
run
self._target(*self._args, **self._kwargs)
File
"/usr/local/lib/python2.6/dist-packages/Shinken-0.4-py2.6.egg/shinken/modules/livestatus_broker/livestatus_broker.py",
line 866, in main
response, keepalive =
self.livestatus.handle_request(open_connections[socketid]['buffer'].rstrip())
File
"/usr/local/lib/python2.6/dist-packages/Shinken-0.4-py2.6.egg/shinken/modules/livestatus_broker/livestatus.py",
line 6105, in handle_request
reference = converter(reference)
ValueError: invalid literal for int() with base 10: ''
I also spotted that livestatus crashes when received more generally
malformed livestatus requests like :
toto GET hosts
I attached a little fix to livestatus.py that replace non-specified
value in filters by :
* current date & time if attribute is 'time'
* 0 if the attribute should be an integer or a float
* '' else
This fix adds also a little piece of code to help detect and deal with
malformed requests.
Hope this helps,
Laurent
6051a6052,6055
>
> # Did we see the "GET" directive ?
> _get_directive_seen = False
>
6054c6058
< if line.find('GET ') != -1:
---
> if not _get_directive_seen and line.startswith('GET '):
6057c6061,6062
< elif line.find('Columns: ') != -1:
---
> _get_directive_seen = True
> elif _get_directive_seen and line.startswith('Columns: '):
6063c6068
< elif line.find('ResponseHeader:') != -1:
---
> elif _get_directive_seen and line.startswith('ResponseHeader:'):
6067c6072
< elif line.find('OutputFormat:') != -1:
---
> elif _get_directive_seen and line.startswith('OutputFormat:'):
6072c6077
< elif line.find('KeepAlive:') != -1:
---
> elif _get_directive_seen and line.startswith('KeepAlive:'):
6075c6080
< elif line.find('ColumnHeaders:') != -1:
---
> elif _get_directive_seen and line.startswith('ColumnHeaders:'):
6078c6083
< elif line.find('Limit:') != -1:
---
> elif _get_directive_seen and line.startswith('Limit:'):
6081c6086
< elif line.find('Filter:') != -1:
---
> elif _get_directive_seen and line.startswith('Filter:'):
6084a6090,6091
> # Malformed filter : missing a value after the operator !!
> print "Missing value in filter: %s" % line
6098a6106,6112
> # try to correct the value in case of malformed filter (no value specified)
> if reference == '':
> if attribute == 'time':
> reference = time.time()
> elif converter == int or converter == float :
> reference = 0
> print "Filter corrected to: %s %s" % (line, reference)
6108c6122
< elif line.find('And: ', 0, 5) != -1:
---
> elif _get_directive_seen and line.startswith('And: '):
6114c6128
< elif line.find('Or: ', 0, 4) != -1:
---
> elif _get_directive_seen and line.startswith('Or: '):
6120c6134
< elif line.find('StatsGroupBy: ') != -1:
---
> elif _get_directive_seen and line.startswith('StatsGroupBy: '):
6127c6141
< elif line.find('Stats: ') != -1:
---
> elif _get_directive_seen and line.startswith('Stats: '):
6159c6173
< elif line.find('StatsAnd: ') != -1:
---
> elif _get_directive_seen and line.startswith('StatsAnd: '):
6162c6176
< elif line.find('StatsOr: ') != -1:
---
> elif _get_directive_seen and line.startswith('StatsOr: '):
6165c6179
< elif line.find('Separators: ') != -1:
---
> elif _get_directive_seen and line.startswith('Separators: '):
6168c6182
< elif line.find('COMMAND') != -1:
---
> elif _get_directive_seen and line.startswith('COMMAND'):
6174a6189,6193
> if not _get_directive_seen:
> # We did not received a valid request
> print "Malformed request, giving up..."
> return '\n', keepalive
>
6232c6251,6252
<
---
> return '\n', keepalive
>
6238c6258
< print "REQUEST", data
---
> #print "REQUEST", data
------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web. Learn how to
best implement a security strategy that keeps consumers' information secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Shinken-devel mailing list
Shinken-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shinken-devel
