Re: get_field_str() and interpret_field() bug with multi-word fields

[John Dennis <jdennis@redhat.com>]

[-- Attachment #1.1: Type: text/plain, Size: 1361 bytes --]

LC Bruzenak wrote:
> On Tue, 2008-08-12 at 12:49 -0500, Jonathan Kelly wrote:
>   
>> Hello,
>>
>>  
>>
>> When using the python auparse library to call
>> AuParser.interpret_field() on a multi-word field, only the first word
>> in the field is returned.  Using get_field_str() instead of
>> interpret_field() yields the same output.  I have verified that this
>> issue exists in the C library, as well as the Python.  I suspect that
>> this may be an issue for multi-word fields in general, but have not
>> noticed any other than 'op'.
>>
>>  
>>     
>
> Line forms here...see the following thread:
> https://www.redhat.com/archives/linux-audit/2008-June/msg00005.html
>
> LCB.
>
>   
The line started a while ago ...

https://www.redhat.com/archives/linux-audit/2008-January/msg00082.html
(the discussion "While we're at it" is irrelevant to the current topic)

FWIW, I think the proper encoding should be that all string values are 
enclosed in double quotes and the string encoding follows the same 
backslash escaping defined for the C language which was subsequently 
adopted by many other system components which would make it instantly 
familiar and parseable by many tools. This would be a very simple and 
welcome fix.

More complaints here:
https://www.redhat.com/archives/linux-audit/2008-June/msg00009.html


-- 
John Dennis <jdennis@redhat.com>


[-- Attachment #1.2: Type: text/html, Size: 2221 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]