Need to add 'quotes' around <password> (and maybe other) parameters in templates

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Add the better Cacti templates
2. Add any of the templates which requires a password, to some monitored Device
3. Put in a password which contains a character to which the shell is 
sensitive, e.g. a double quote " or a single quote ' or an exclamation point ! 
etc
4. Watch the fireworks in the log file :-)

Solution: In all templates which take <password> parameters, and likely any 
other parameters where the user could either foolishly or legitimately (as in 
the case of the passwords) enter any kind of data which could be eaten by the 
shell.

Further consideration: Probably need to use an escaping library to avoid 
foolish or malicious injection attacks which could cause very unexpected shell 
behavior, such as:

  password = ;echo Hi Mom >/tmp/Mom;echo

Which a few minutes later gives us:

  # cat /tmp/Mom
  Hi Mom

:-)

Original issue reported on code.google.com by libove....@gmail.com on 10 Feb 2012 at 3:29

[GoogleCodeExporter]

This is a Cacti bug; these templates can't control or correct  Cacti's method 
of executing scripts.

Original comment by baron.schwartz on 10 Feb 2012 at 3:41

• Changed state: WontFix

[GoogleCodeExporter]

Okay, thanks; I'll submit to the Cacti folks.

Original comment by libove....@gmail.com on 10 Feb 2012 at 6:13