Hi, When receiving a malformed request, sent by Thruk for generating an availability report based on a custom time period, livestatus broker module crashes :
GET log Columns: class time type state host_name service_description plugin_output message contact_name command_name state_type current_host_groups current_service_groups Filter: time >= 0 Filter: time <= And: 2 Filter: host_name = shinken Filter: type = HOST ALERT Filter: options ~ ;HARD; Filter: type = INITIAL HOST STATE Filter: options ~ ;HARD; Filter: type = CURRENT HOST STATE Filter: options ~ ;HARD; Filter: type = HOST DOWNTIME ALERT Or: 7 And: 2 Filter: host_name = shinken Filter: type = SERVICE ALERT Filter: options ~ ;HARD; Filter: type = INITIAL SERVICE STATE Filter: options ~ ;HARD; Filter: type = CURRENT SERVICE STATE Filter: options ~ ;HARD; Filter: type = SERVICE DOWNTIME ALERT Or: 7 And: 2 Filter: class = 2 Or: 3 OutputFormat: json ResponseHeader: fixed16 This request is malformed (the second 'time' filter lacks a value, it should be the current date & time), and the livestatus module crashes when calling the int() converter on '' : Traceback (most recent call last): File "/usr/lib/python2.6/multiprocessing/process.py", line 232, in _bootstrap self.run() File "/usr/lib/python2.6/multiprocessing/process.py", line 88, in run self._target(*self._args, **self._kwargs) File "/usr/local/lib/python2.6/dist-packages/Shinken-0.4-py2.6.egg/shinken/modules/livestatus_broker/livestatus_broker.py", line 866, in main response, keepalive = self.livestatus.handle_request(open_connections[socketid]['buffer'].rstrip()) File "/usr/local/lib/python2.6/dist-packages/Shinken-0.4-py2.6.egg/shinken/modules/livestatus_broker/livestatus.py", line 6105, in handle_request reference = converter(reference) ValueError: invalid literal for int() with base 10: '' I also spotted that livestatus crashes when received more generally malformed livestatus requests like : toto GET hosts I attached a little fix to livestatus.py that replace non-specified value in filters by : * current date & time if attribute is 'time' * 0 if the attribute should be an integer or a float * '' else This fix adds also a little piece of code to help detect and deal with malformed requests. Hope this helps, Laurent
6051a6052,6055 > > # Did we see the "GET" directive ? > _get_directive_seen = False > 6054c6058 < if line.find('GET ') != -1: --- > if not _get_directive_seen and line.startswith('GET '): 6057c6061,6062 < elif line.find('Columns: ') != -1: --- > _get_directive_seen = True > elif _get_directive_seen and line.startswith('Columns: '): 6063c6068 < elif line.find('ResponseHeader:') != -1: --- > elif _get_directive_seen and line.startswith('ResponseHeader:'): 6067c6072 < elif line.find('OutputFormat:') != -1: --- > elif _get_directive_seen and line.startswith('OutputFormat:'): 6072c6077 < elif line.find('KeepAlive:') != -1: --- > elif _get_directive_seen and line.startswith('KeepAlive:'): 6075c6080 < elif line.find('ColumnHeaders:') != -1: --- > elif _get_directive_seen and line.startswith('ColumnHeaders:'): 6078c6083 < elif line.find('Limit:') != -1: --- > elif _get_directive_seen and line.startswith('Limit:'): 6081c6086 < elif line.find('Filter:') != -1: --- > elif _get_directive_seen and line.startswith('Filter:'): 6084a6090,6091 > # Malformed filter : missing a value after the operator !! > print "Missing value in filter: %s" % line 6098a6106,6112 > # try to correct the value in case of malformed filter (no value specified) > if reference == '': > if attribute == 'time': > reference = time.time() > elif converter == int or converter == float : > reference = 0 > print "Filter corrected to: %s %s" % (line, reference) 6108c6122 < elif line.find('And: ', 0, 5) != -1: --- > elif _get_directive_seen and line.startswith('And: '): 6114c6128 < elif line.find('Or: ', 0, 4) != -1: --- > elif _get_directive_seen and line.startswith('Or: '): 6120c6134 < elif line.find('StatsGroupBy: ') != -1: --- > elif _get_directive_seen and line.startswith('StatsGroupBy: '): 6127c6141 < elif line.find('Stats: ') != -1: --- > elif _get_directive_seen and line.startswith('Stats: '): 6159c6173 < elif line.find('StatsAnd: ') != -1: --- > elif _get_directive_seen and line.startswith('StatsAnd: '): 6162c6176 < elif line.find('StatsOr: ') != -1: --- > elif _get_directive_seen and line.startswith('StatsOr: '): 6165c6179 < elif line.find('Separators: ') != -1: --- > elif _get_directive_seen and line.startswith('Separators: '): 6168c6182 < elif line.find('COMMAND') != -1: --- > elif _get_directive_seen and line.startswith('COMMAND'): 6174a6189,6193 > if not _get_directive_seen: > # We did not received a valid request > print "Malformed request, giving up..." > return '\n', keepalive > 6232c6251,6252 < --- > return '\n', keepalive > 6238c6258 < print "REQUEST", data --- > #print "REQUEST", data
------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Shinken-devel mailing list Shinken-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shinken-devel