When any of the job's attributes has a quote (") in it's value it causes problems to the applications that read the accounting logs as the quotes in the values are not escaped before they get stored in the accounting logs.
When a job is submitted as follows -
qsub -A 'value" malicious="evil' – /bin/sleep 1111
the accounting logs end up showing -
10/18/2016 16:01:33;S;11039.server;user=someone group=group1 account="value" malicious="evil" ...
As seen above, the parsing application could parse attribute account's value to be "value" and read a non-existing attribute malicious.
This is happening because -
Parsers could get confused even more if both the above happen at the same time, as in the above example.
A) Writing to the accounting logs.
Before writing to the accounting logs, values of the attributes should be parsed to find if the value needs to be enclosed within quotes or not.
make quote (") as the first character to be stored for the value.
for (each quote in the value)
else
record value without quotes.
if (current character is an escape)
copy next character to the value.
if (current character is an escaped quote)
copy only a quote to the value.
if (current character is a non-escaped quote)
we have reached end of the string, do not copy this quote to the value.
else
copy the value as-is.
After this change, the example accounting record will look like -
10/18/2016 16:01:33;S;11039.server;user=someone group=group1 account="value\" malicious=\"evil" ...
However, tracejob output will be kept as-is.