Home
My Page
Projects
OpenVAS

[#1331] Can not delete/show escalator named '%name' (exec_omp_get:2615)

Date:
2010-03-19 11:48
Priority:
3
State:
Closed
Submitted by:
Hartmut Goebel (htgoebel)
Assigned to:
Nobody (None)
Architecture:
None
Product:
OpenVAS
Operating System:
All
Component:
gsa
Version:
3.0.1
Severity:
normal
Resolution:
None
Hardware:
All
URL:
 
Summary:
Can not delete/show escalator named '%name' (exec_omp_get:2615)

Detailed description
I created an escalator named '%name' (w/o quotes) using the XML shown below. When trying to sow or delete this escalator via gsa, I get this error message:



Internal error: exec_omp_get:2615



While I did not test it, I assume this will happen for other types using such a name, too.



Deleting the escalator using OMP works fine.



<create_escalator>

<name>%name</name>

<comment>hjhjklh</comment>

<condition>Threat level at least<data><name>level</name>Medium</data></condition>

<event>Task run status changed<data><name>status</name>Done</data></event>

<method>Email<data><name>to_address</name>aaaa@example.com</data><data><name>from_address</name>vaaa@example.com</data><data><name>notice</name>1</data></method>

</create_escalator>

Followup

Message
Date: 2018-09-12 15:08
Sender: Matthew Mundell

Recent versions handle "%name" fine, and allow umlauts and
other punctuation, so closing.
Date: 2010-05-10 14:21
Sender: Matthew Mundell

I'm aware of prepared statements, and the Manager and
GSA do aim to handle these characters.

Jan added the strict GSA input filtering as a strong
protective measure. This is prudent in the GSM
situation where the only use is via the GSA,
especially given that there are still parts of
the Manager that need to do input checking properly.

I have mentioned to Jan that I think that in general
the GSA is the wrong place to do it and that the effort
should go into making the Manager input handling secure.
Date: 2010-04-08 08:51
Sender: Hartmut Goebel

I've just been hit by this again.

Re. Matthews remark:

> The GSA is much stricter than the Manager about which
> characters can be input. Jan set the GSA up this way to
> prevent embedded SQL and XML errors.

In Database applications this problem is normally solves
using Prepared Statements. See
<http://www.sqlite.org/c3ref/bind_blob.html> fpr prepared
statements in sqlite3.

Regarding XML encoding errors: same here. Any XML lib ought
to have some function for escaping values.
Date: 2010-03-22 14:34
Sender: Hartmut Goebel

Related problem: gsad doe not accept umlauts and punctuation characters (at least parents). In this case no "Internal Error" occurs, but an error message is displayed.

Not being able to use umlauts and punctuation characters in names is *very* annoying.
Date: 2010-03-21 20:59
Sender: Matthew Mundell

The GSA is much stricter than the Manager about which
characters can be input. Jan set the GSA up this way to
prevent embedded SQL and XML errors.

As a result it's possible to create a resource by
accessing the Manager directly, and the GSA will refuse
to accept the name of the resource as input.
Date: 2010-03-19 17:32
Sender: Hartmut Goebel

This is true for other names, too, e.g.:

"Job 1: 15 targets (Fri Mar 19 18:30:08 2010)"

Attached Files:

Changes:

Field Old Value Date By
status_idOpen2018-09-12 15:08mattm
close_dateNone2018-09-12 15:08mattm

This site is hosted by Intevation GmbH
(Datenschutzerklärung und Impressum | Privacy Policy and Imprint)