tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4 from uchida/escape-quotes-in-alert-command-arg 

Quote and escape alert macro for shell-evaluation safety.
This commit is contained in:
Akihiro Uchida 2014-11-26 19:35:32 +09:00
parent 12160c9a2d 902917dea9
commit f8346732cc
1 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
pandora_server/lib/PandoraFMS/Core.pm
View File

@ -110,6 +110,7 @@ use threads;
use threads::shared; use threads::shared;
use JSON qw(decode_json encode_json); use JSON qw(decode_json encode_json);
use MIME::Base64; use MIME::Base64;
use Text::ParseWords;
# Debugging # Debugging
#use Data::Dumper; #use Data::Dumper;
@ -893,7 +894,12 @@ sub pandora_execute_action ($$$$$$$$$;$) {
$macros{_field9_} = subst_alert_macros ($field9, \%macros, $pa_config, $dbh, $agent, $module); $macros{_field9_} = subst_alert_macros ($field9, \%macros, $pa_config, $dbh, $agent, $module);
$macros{_field10_} = subst_alert_macros ($field10, \%macros, $pa_config, $dbh, $agent, $module); $macros{_field10_} = subst_alert_macros ($field10, \%macros, $pa_config, $dbh, $agent, $module);
my $command = subst_alert_macros (decode_entities ($action->{'command'}), \%macros, $pa_config, $dbh, $agent, $module); my @command_args = ();
# divide command into words based on quotes and whitespaces
foreach my $word (quotewords('\s+', 1, (decode_entities($action->{'command'})))) {
push @command_args, subst_alert_macros($word, \%macros, $pa_config, $dbh, $agent, $module);
}
my $command = join(' ', @command_args);
logger($pa_config, "Executing command '$command' for action '" . safe_output($action->{'name'}) . "' alert '". safe_output($alert->{'name'}) . "' agent '" . (defined ($agent) ? safe_output($agent->{'nombre'}) : 'N/A') . "'.", 8); logger($pa_config, "Executing command '$command' for action '" . safe_output($action->{'name'}) . "' alert '". safe_output($alert->{'name'}) . "' agent '" . (defined ($agent) ? safe_output($agent->{'nombre'}) : 'N/A') . "'.", 8);
eval { eval {
@ -3258,11 +3264,27 @@ sub subst_alert_macros ($$;$$$$) {
my $macro_regexp = join('|', keys %{$macros}); my $macro_regexp = join('|', keys %{$macros});
my $subst_func;
if ($string =~ m/^(?:(")(?:.*)"|(')(?:.*)')$/) {
my $quote = $1 ? $1 : $2;
$subst_func = sub {
my $macro = on_demand_macro($pa_config, $dbh, shift, $macros, $agent, $module);
$macro =~ s/'/'\\''/g; # close, escape, open
return decode_entities($quote . "'" . $macro . "'" . $quote); # close, quote, open
};
}
else {
$subst_func = sub {
my $macro = on_demand_macro($pa_config, $dbh, shift, $macros, $agent, $module);
return decode_entities($macro);
};
}
# Macro data may contain HTML entities # Macro data may contain HTML entities
eval { eval {
no warnings; no warnings;
local $SIG{__DIE__}; local $SIG{__DIE__};
$string =~ s/($macro_regexp)/decode_entities(on_demand_macro($pa_config, $dbh, $1, $macros, $agent, $module))/ige; $string =~ s/($macro_regexp)/$subst_func->($1)/ige;
}; };
return $string; return $string;