Analysis for PP-464
- PP-464Getting issue details... STATUS
Issue:
When any of the job's attributes has a quote (") in it's value it causes problems to the applications that read the accounting logs as the quotes in the values are not escaped before they get stored in the accounting logs.
Explanation:
When a job is submitted as follows -
qsub -A 'value" malicious="evil' – /bin/sleep 1111
the accounting logs end up showing -
10/18/2016 16:01:33;S;11039.server;user=someone group=group1 account="value" malicious="evil" ...
As seen above, the parsing application could parse attribute account's value to be "value" and read a non-existing attribute malicious.
Analysis:
This is happening because -
- The quotes within the script are not escaped.
- The values of some of the attributes are enclosed within quotes (") regardless of the value needs enclosing or not.
Parsers could get confused even more if both the above happen at the same time, as in the above example.
Solution:
A) Writing to the accounting logs.
Before writing to the accounting logs, values of the attributes should be parsed to find if the value needs to be enclosed within quotes or not.
- need_quotes = 0
- if (value has characters that are not alphanumeric)need_quotes = 1
- if (need_quotes)
make quote (") as the first character to be stored for the value.
for (each quote in the value)
else
record value without quotes.
- if (value enclosed within quotes)
if (current character is an escape)
copy next character to the value.
if (current character is an escaped quote)
copy only a quote to the value.
if (current character is a non-escaped quote)
we have reached end of the string, do not copy this quote to the value.
else
copy the value as-is.
After this change, the example accounting record will look like -
10/18/2016 16:01:33;S;11039.server;user=someone group=group1 account="value\" malicious=\"evil" ...
However, tracejob output will be kept as-is.