Not escaping/quoting arguments for script server data queries breaks SNMP arguments with special characters

[robwdwd]

When using a community, snmp v3 passphrase and so forth with &,! etc in the string running a data query on a host fails when the data query is calling a script server. The script server itself is working fine if the indexes are already there (from previous snmp credentials for example.) or if you test it manually.

In function get_script_query_path in data_store.php maybe it can be escaped here:

return substitute_script_query_path($script_path) . " $extra_arguments";

Running the re-index in debug mode produces the following.

Total: 0.17, Delta: 0.17, Executing script for num of indexes '"/usr/bin/php" -q /var/www/html/cacti/new/scripts/ss_cisco_cpu_usage.php router.exampe.com 885 3:161:500:1:10:JdhquA5:EXAMPLE-128:qRNhf2dsf5NC^+*4NSW=:SHA:3v&t4uh6kp#J@-ru^rJVB:AES128: num_indexes'
Total: 0.35, Delta: 0.18, Executing script for list of indexes '"/usr/bin/php" -q /var/www/html/cacti/new/scripts/ss_cisco_cpu_usage.php router.exampe.com 885 3:161:500:1:10:JdhquA5:EXAMPLE-128:qRNhf2dsf5NC^+*4NSW=:SHA:3v&t4uh6kp#J@-ru^rJVB:AES128:AES128: index' Index Count: 0

Testing on the script server directly works fine.

PHP Script Server has Started - Parent is cmd

/var/www/html/cacti/new/scripts/ss_cisco_cpu_usage.php ss_cisco_cpu_usage router.exampe.com 885 3:161:500:1:10:sdkls9h: EXAMPLE-128:qRNhf2dsf5NC^+*4NSW=:SHA:3v&t4uh6kp#J@-ru^rJVB:AES128: num_indexes
3

However looking at the logs the data_query is not being run directly when trying to do a manual re-index or adding in the data_query the first time it's using exec to start a shell process and it's failing (in this example because of the &)

sh: t4uh6kp#J@-ru^rJVB:AES128:: command not found

Testing this you get:

"/usr/bin/php" -q /var/www/html/cacti/new/scripts/ss_cisco_cpu_usage.php router.exampe.com 885 3:161:500:1:10: sdkls9h:EXAMPLE-128:qRNhf2dsf5NC^+*4NSW=:SHA:3v&t4uh6kp#J@-ru^rJVB:AES128: num_indexes
[4] 17370
-bash: t4uh6kp#J@-ru^rJVB:AES128:: command not found
[3]   Done                    "/usr/bin/php" -q /var/www/html/cacti/new/scripts/ss_cisco_cpu_usage.php router.exampe.com 885 3:161:500:1:10: sdkls9h:EXAMPLE-128:qRNhf2dsf5NC^+*4NSW=:SHA:3v

Where as if the argument list is escaped or quoted so it works fine, I think quoting would need each argument quoted for space plus other delimiter i.e. : |xyz| |abc| |1|:|nnn|:|ppp| would be "|xyz|" "|abc|" "|1|:|nnn|:|ppp|"

"/usr/bin/php" -q /var/www/html/cacti/new/scripts/ss_cisco_cpu_usage.php router.exampe.com 885 3:161:500:1:10:sdkls9h:EXAMPLE-128:qRNhf2dsf5NC^+*4NSW=:SHA:3v\&t4uh6kp#J\!@-ru^rJVB:AES128: num_indexes

[cigamit]

That one looks like a lot of fun to resolve... It would be better to simply pass in the device id and have the script pull the rest from the database. Ah, to turn back the hands of time... not. Anyway thanks for reporting.

[cigamit]

Okay, you have two files to update: lib/utility.php and lib/data_query.php. Take them from develop and then rebuild the poller cache. Once that is done, please let me know if the issue is resolved.

[robwdwd]

Great that seems to fix the issue, thanks for resolving so fast :)

[cigamit]

Good to know it's working. This has been a longstanding request for years. Glad it's done finished now.