nv-l
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [nv-l] Script option for use with APAR IY21527

2002-04-04 18:42:10
Subject: Re: [nv-l] Script option for use with APAR IY21527
From: netview AT toddh DOT net (Todd H.)
To: "Binder, Karin" <karin.binder AT nwa DOT com>
Date: 04 Apr 2002 17:42:10 -0600 
"Binder, Karin" <karin.binder AT nwa DOT com> writes:

> Hello All,
>  
> I appreciate all the information hat is shared on this list.  I
> found something that was useful to me, and thought it might be
> helpful to some of you. 
> 
> I recently enabled the security mechanism provided in APAR IY21527
> (also in V6.03) to filter illegal special characters from traps. The
> sample script provided in the APAR readme suggested the use of 'sed
> "s:\\\\\\::g"' to remove the prepended backslash characters.  That
> didn't work in our environment as we do not have a consistent depth
> of domains in our DNS names.  And then there are those traps that

Hee hee.  I recently opened a PMR on that very expression in the
release notes for that patch.  For one, it's not a good idea to
express a sed expression in double quotes since it can lead you down a
primrose path and match more than you think!  For two, that particular
expression absolutely does not work in our environment either.  In
fact, I'm not sure what environment it does work for.   Doesn't it
match three literal backslashes in a row? 

Here's a better (for our environment anyway) sed epression if you want
to remove dots and dashes (both of which are part of legal hostnames)
and replace them with themselves:

########################################################################
# replace \. and \-  with . -  respectvely.  Required for
# security efix
########################################################################
NVATTR_2=$(/usr/bin/echo "$NVATTR_2" | /usr/bin/sed 's:\\\([-\.]\):\1:g')
NVATTR_3=$(/usr/bin/echo "$NVATTR_3" | /usr/bin/sed 's:\\\([-\.]\):\1:g')
NVATTR_4=$(/usr/bin/echo "$NVATTR_4" | /usr/bin/sed 's:\\\([-\.]\):\1:g')

[repeat for all variables you need]


> And then there are those traps that contain a "." in message text
> (i.e. "Node down.").  Further, with vendors doing creative things
> like appending port number to ASN strings, predicting the number of
> "."s in a variable became even more challenging.  I found an
> alternative using the shell "eval" command to force an evaluation of
> a variable, thus removing the escape characters irrespective of how
> many there are in the variable.  I used it at the top of my script
> on each variable that might contain a backslash (NVA, NVATTR_n,
> etc).  It worked in my /bin/sh scripts; I suspect it would work in
> other scripts types as well (csh, ksh), although I have not tested
> those.  As always, test it first and use at your own risk.  Sample
> syntax in /bin/sh:
>
> NVATTR_1=`eval echo $NVATTR_1`
> NVATTR_2=`eval echo $NVATTR_2`
> etc.

I'm not sure I'd recommend this approach.  Doing an eval to
possibly-tainted data makes me very nervous from a security
perspective, but I'd be interested in any discussion others can lend.

--
Todd H.
http://www.toddh.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [nv-l] Script option for use with APAR IY21527, Binder, Karin
Next by Date:  RE: [nv-l] NetView Map Update, z_esm_karekars
Previous by Thread:  [nv-l] Script option for use with APAR IY21527, Binder, Karin
Next by Thread:  [nv-l] SNA daemon problem, Wilkinson, Iain D
Indexes:  [Date] [Thread] [Top] [All Lists]