On Wednesday, February 08, 2012 12:04:57 PM Marcelo Cerri wrote:
Auparse just removes single quotes at the end of a field value and
leaves
quotes at the beginning. With this patch, auparse removes quotes at the
beggining of a parsed field value and handles double quotes at the same way
as single quotes.
This would seem to be a mistake in the libvirt auditing code. They should not be
adding quotes. The double quote has a special meaning, so I don't think we can
or should patch around that. The single quote just shouldn't be there.
-Steve
This is a simple test program to reproduce the problem:
-----
int main() {
const char *buffer= "type=VIRT_RESOURCE msg=audit(1327574186.046:174):
user pid=6748 uid=0 auid=500 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0 msg='virt=kvm resrc=net
reason=start vm=\"CentOS\" uuid=fb4149f5-9ff6-4095-f6d3-a1d03936fdfa
old-net='?' new-net='52:54:00:DB:AE:B4 test':
exe=\"/usr/sbin/libvirtd\"
hostname=? addr=? terminal=? res=success'\n"; auparse_state_t *au =
auparse_init(AUSOURCE_BUFFER, buffer);
if (au == NULL) return -1;
while (auparse_next_event(au) > 0) {
printf("%s\n", auparse_find_field(au, "new-net"));
}
auparse_destroy(au);
return 0;
}
-----
---
auparse/ellist.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/auparse/ellist.c b/auparse/ellist.c
index eafcfee..8c3061d 100644
--- a/auparse/ellist.c
+++ b/auparse/ellist.c
@@ -137,6 +137,9 @@ static int parse_up_record(rnode* r)
// Remove beginning cruft of name
if (*ptr == '(')
ptr++;
+ // Remove quotes
+ if (*val == '\'' || *val == '"')
+ val++;
n.name = strdup(ptr);
n.val = strdup(val);
// Remove trailing punctuation
@@ -149,7 +152,8 @@ static int parse_up_record(rnode* r)
n.val[len-1] = 0;
len--;
}
- if (len && n.val[len-1] == '\'') {
+ if (len && (n.val[len - 1] == '\''
+ || n.val[len - 1] == '"')) {
n.val[len-1] = 0;
len--;
}