Bug#641684: Quote character not escaped correctly for Postgresql

2012-03-13 Thread Stefan Bühler 
severity 641684 grave
thanks

This bug makes the package unusable unless the mentioned workarounds 
are applied, as it doesn't work with the default postgres server on 
wheezy (9.1 right now).

Even with the workaround applied the log gets spammed:
2012-03-13 10:33:51 UTC WARNING:  nonstandard use of \' in a string literal at 
character 100
2012-03-13 10:33:51 UTC HINT:  Use '' to write quotes in strings, or use the 
escape string syntax (E'...').

The upstream bug https://dev.icinga.org/issues/1974 looks fixed now.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#641684: [Pkg-nagios-devel] Bug#641684: Quote character not escaped correctly for Postgresql

2012-03-13 Thread Michael Friedrich 

 Original Message  
Subject: [Pkg-nagios-devel] Bug#641684: Quote character not escaped 
correctly for Postgresql

From: Stefan Bühler light...@stbuehler.de
To: cont...@bugs.debian.org, 641...@bugs.debian.org
Date: 2012-03-13 11:40

severity 641684 grave
thanks

This bug makes the package unusable unless the mentioned workarounds
are applied, as it doesn't work with the default postgres server on
wheezy (9.1 right now).


fixed in upstream git for 1.7
https://dev.icinga.org/issues/1974

testers welcome.



Even with the workaround applied the log gets spammed:
2012-03-13 10:33:51 UTC WARNING:  nonstandard use of \' in a string literal at 
character 100
2012-03-13 10:33:51 UTC HINT:  Use '' to write quotes in strings, or use the 
escape string syntax (E'...').

The upstream bug https://dev.icinga.org/issues/1974 looks fixed now.



___
Pkg-nagios-devel mailing list
pkg-nagios-de...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-nagios-devel



--
DI (FH) Michael Friedrich

Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria

email:  michael.friedr...@univie.ac.at
phone:  +43 1 4277 14359
mobile: +43 664 60277 14359
fax:+43 1 4277 14338
web:http://www.univie.ac.at/zid
http://www.aco.net

Lead Icinga Core Developer
http://www.icinga.org




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#641684: Quote character not escaped correctly for Postgresql

2011-09-15 Thread David Tulloh 
Package: icinga-idoutils
Version: 1.5.1-1
Severity: normal

IDO utils is incorrectly escaping characters such as ' for postgresql.

From the postgresql logs (running 9.1):
2011-09-15 17:12:18 EST ERROR:  syntax error at or near 5 at character 184
2011-09-15 17:12:18 EST STATEMENT:  UPDATE icinga_servicestatus SET
instance_id=1, service_object_id=201,
status_update_time=FROM_UNIXTIME(1316070738), output='CPU Load 22% (5
min average)', long_output='', perfdata='\'5 min avg
Load\'=22%;80;90;0;100', current_state=0, has_been_checked=1,
should_be_scheduled=1, current_check_attempt=1, max_check_attempts=4,
last_check=FROM_UNIXTIME(1316070728),
next_check=FROM_UNIXTIME(1316071028), check_type=0,
last_state_change=FROM_UNIXTIME(1315926986),
last_hard_state_change=FROM_UNIXTIME(1315816267), last_hard_state=0,
last_time_ok=FROM_UNIXTIME(1316070728),
last_time_warning=FROM_UNIXTIME(1315926926),
last_time_unknown=FROM_UNIXTIME(0),
last_time_critical=FROM_UNIXTIME(1315815967), state_type=1,
last_notification=FROM_UNIXTIME(0),
next_notification=FROM_UNIXTIME(0), no_more_notifications=0,
notifications_enabled=1, problem_has_been_acknowledged=0,
acknowledgement_type=0, current_notification_number=0,
passive_checks_enabled=1, active_checks_enabled=1,
event_handler_enabled=1, flap_detection_enabled=1, is_flapping=0,
percent_state_change='0.00', latency='0.816000',
execution_time='0.190820', scheduled_downtime_depth=0,
failure_prediction_enabled=1, process_performance_data=1,
obsess_over_service=1, modified_service_attributes=0,
event_handler='', check_command='my_check_nt!CPULOAD!-l 5,80,90',
normal_check_interval='5.00', retry_check_interval='1.00',
check_timeperiod_object_id=174 WHERE service_object_id=201

Running the command manually, sanitized and a few minutes after the logged run:
 /usr/lib/nagios/plugins/check_nt -H ###.###.###.### -v CPULOAD -l 5,80,90 -s 
  -p 12489
CPU Load 21% (5 min average) |   '5 min avg Load'=21%;80;90;0;100

Browsing the source it looks like escaping is done in db.c:2335
ido2db_db_escape_string() by adding a \ in front of a ' character.
Which is causing the problems, I believe postgresql wants a '' instead
of a \'.

It should however be done properly using libpq's PQescapeLiteral.  It
also protects against multibyte SQL injection attacks that the
previous method doesn't.  Chris Shiflett did a decent writeup of this
problem several years ago [1], the vulnerability looks to extend to
all the databases in use.

[1]: 
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string


David

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable
  APT policy: (800, 'stable'), (750, 'testing'), (600, 'unstable'),
(500, 'oldstable'), (150, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.39+ (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages icinga-idoutils depends on:
ii  dbconfig-common1.8.47common framework for packaging dat
ii  debconf [debconf-2.0]  1.5.36.1  Debian configuration management sy
ii  icinga-common  1.5.1-1   host and network monitoring system
ii  libc6  2.13-18   Embedded GNU C Library: Shared lib
ii  libdbd-mysql   0.8.3-1+s-2.1 MySQL database server driver for l
ii  libdbd-pgsql   0.8.3-1+s-2.1 PostgreSQL database server driver
ii  libdbi10.8.4-5.1 DB Independent Abstraction Layer f
ii  lsb-base   3.2-28Linux Standard Base 3.2 init scrip
ii  ucf3.0025+nmu2   Update Configuration File: preserv

Versions of packages icinga-idoutils recommends:
ii  mysql-client-5.1 [mysql-clien 5.1.49-3   MySQL database client binaries
ii  postgresql-client 9.1+121front-end programs for PostgreSQL
ii  postgresql-client-9.0 [postgr 9.0.4-2front-end programs for PostgreSQL
ii  postgresql-client-9.1 [postgr 9.1~rc1-3  front-end programs for PostgreSQL

icinga-idoutils suggests no packages.

-- debconf information:
  icinga-idoutils/dbconfig-upgrade: true
  icinga-idoutils/mysql/method: unix socket
  icinga-idoutils/db/dbname: icinga
  icinga-idoutils/dbconfig-remove:
  icinga-idoutils/missing-db-package-error: abort
  icinga-idoutils/install-error: retry
  icinga-idoutils/pgsql/authmethod-admin: ident
  icinga-idoutils/pgsql/admin-user: postgres
  icinga-idoutils/internal/reconfiguring: false
  icinga-idoutils/purge: false
  icinga-idoutils/pgsql/changeconf: false
  icinga-idoutils/db/basepath:
  icinga-idoutils/database-type: pgsql
  icinga-idoutils/upgrade-error: abort
  icinga-idoutils/pgsql/method: unix socket
  icinga-idoutils/remote/port:
  icinga-idoutils/internal/skip-preseed: true
  icinga-idoutils/dbconfig-reinstall: false
  icinga-idoutils/upgrade-backup: true
  icinga-idoutils/remove-error: abort
* icinga-idoutils/dbconfig-install: false