Home
My Page
Projects
OpenVAS

[#1331] Can not delete/show escalator named '%name' (exec_omp_get:2615)

Date:
2010-03-19 11:48
Priority:
3
State:
Open
Submitted by:
Hartmut Goebel (htgoebel)
Assigned to:
Nobody (None)
Architecture:
None
Product:
OpenVAS
Operating System:
All
Component:
gsa
Version:
3.0.1
Severity:
normal
Resolution:
None
Hardware:
All
URL:
 
Summary:
Can not delete/show escalator named '%name' (exec_omp_get:2615)

Detailed description
I created an escalator named '%name' (w/o quotes) using the XML shown below. When trying to sow or delete this escalator via gsa, I get this error message:



Internal error: exec_omp_get:2615



While I did not test it, I assume this will happen for other types using such a name, too.



Deleting the escalator using OMP works fine.



<create_escalator>

<name>%name</name>

<comment>hjhjklh</comment>

<condition>Threat level at least<data><name>level</name>Medium</data></condition>

<event>Task run status changed<data><name>status</name>Done</data></event>

<method>Email<data><name>to_address</name>aaaa@example.com</data><data><name>from_address</name>vaaa@example.com</data><data><name>notice</name>1</data></method>

</create_escalator>

Followup

Message
Date: 2010-05-10 14:21
Sender: Matthew Mundell

I'm aware of prepared statements, and the Manager and
GSA do aim to handle these characters.

Jan added the strict GSA input filtering as a strong
protective measure. This is prudent in the GSM
situation where the only use is via the GSA,
especially given that there are still parts of
the Manager that need to do input checking properly.

I have mentioned to Jan that I think that in general
the GSA is the wrong place to do it and that the effort
should go into making the Manager input handling secure.
Date: 2010-04-08 08:51
Sender: Hartmut Goebel

I've just been hit by this again.

Re. Matthews remark:

> The GSA is much stricter than the Manager about which
> characters can be input. Jan set the GSA up this way to
> prevent embedded SQL and XML errors.

In Database applications this problem is normally solves
using Prepared Statements. See
<http://www.sqlite.org/c3ref/bind_blob.html> fpr prepared
statements in sqlite3.

Regarding XML encoding errors: same here. Any XML lib ought
to have some function for escaping values.
Date: 2010-03-22 14:34
Sender: Hartmut Goebel

Related problem: gsad doe not accept umlauts and punctuation characters (at least parents). In this case no "Internal Error" occurs, but an error message is displayed.

Not being able to use umlauts and punctuation characters in names is *very* annoying.
Date: 2010-03-21 20:59
Sender: Matthew Mundell

The GSA is much stricter than the Manager about which
characters can be input. Jan set the GSA up this way to
prevent embedded SQL and XML errors.

As a result it's possible to create a resource by
accessing the Manager directly, and the GSA will refuse
to accept the name of the resource as input.
Date: 2010-03-19 17:32
Sender: Hartmut Goebel

This is true for other names, too, e.g.:

"Job 1: 15 targets (Fri Mar 19 18:30:08 2010)"

Attached Files:

Changes:

No Changes Have Been Made to This Item


This site is hosted by Intevation GmbH