API - Auth broken when token contain '\/'

centreon / centreon-archived

Centreon is a network, system and application monitoring tool. Centreon is the only AIOps Platform Providing Holistic Visibility to Complex IT Workflows from Cloud to Edge.

https://www.centreon.com

GNU General Public License v2.0

575 stars 240 forks source link

API - Auth broken when token contain '\/' #7740

Open bernah4 opened 5 years ago

bernah4 commented 5 years ago

Hi im making script using the centreon api and i have the same isue as #7616. i'm getting for example this token \: T\/n4k2\/ZkFkiCwgadp1lJG2csrD\/BhnfJjKUDsz4u5g=

when i try the solution of the mentioned post this is what i get \:

curl -s 'mydomain.fr/centreon/api/index.php?object=centreon_realtime_services&action=list&status=critical' -H 'Content-Type: application/json' -H 'centreon-auth-token:'T\/n4k2\/ZkFkiCwgadp1lJG2csrD\/BhnfJjKUDsz4u5g='' --verbose 

* About to connect() to proxy myproxy (#0) 
*   Trying my IP 
* Connected to myproxy (IP proxy)  (#0)
> GET HTTP://mydomain.fr/centreon/api/index.php?object=centreon_realtime_services&action=list&status=critical HTTP/1.1
> User-Agent: curl/7.29.0
> Host: myhost
> Accept: */*
> Proxy-Connection: Keep-Alive
> Content-Type: application/json
> centreon-auth-token:T/n4k2/ZkFkiCwgadp1lJG2csrD/BhnfJjKUDsz4u5g=
>
< HTTP/1.1 200 OK
< Date: Tue, 30 Jul 2019 09:13:23 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
< X-Powered-By: PHP/7.1.8
< Content-Type: application/json;charset=utf-8
< X-Cache: MISS from myServer
< X-Cache-Lookup: MISS from myServer
< Transfer-Encoding: chunked
< Via: 1.1 mySrever(squid/3.5.23)
< Connection: keep-alive)

As we can see backslash are treats like escaped char, so it's seems like the token is interpolate and should not be.

lpinsivy commented 5 years ago

As @kermith72 explain in other ticket you need to escape the \ or to protect it.

alxdrl commented 3 years ago

Hi @lpinsivy I think this answer is highly misleading.

I myself was bitten by this recently: Centreon actually returns (purposedly ?) a forward-slash-escaped token !

You might have to unescape it especially in scripted scenarii.

For example, with the login response {"authToken":"9nUR96sbqO1hUZ2Pc9TCozODRUHleK57\/AsZQEDgoMg="} ...

Trying with raw/escaped/protected token:

$ curl .... \
    -H 'centreon-auth-token: 9nUR96sbqO1hUZ2Pc9TCozODRUHleK57\/AsZQEDgoMg='
"Forbidden"

Meanwhile with unescaped forward slash:

$ curl ... \
    -H 'centreon-auth-token: 9nUR96sbqO1hUZ2Pc9TCozODRUHleK57/AsZQEDgoMg='
{"results":[{"code":202,"message":"The status send to the engine"}]}

As far as good-taste and interop. goes, I thinks Centreon should not return escaped token and should let the user handle this if needed :-)

Regards,

Alexis