From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH 1/2] auparse: Remove quotes from parsed fields
Date: Wed, 8 Feb 2012 13:54:13 -0500
Message-ID: <201202081354.13497.sgrubb@redhat.com>
References: <1328720698-24633-1-git-send-email-mhcerri@linux.vnet.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1328720698-24633-1-git-send-email-mhcerri@linux.vnet.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: gcwilson@us.ibm.com, bryntcor@us.ibm.com
List-Id: linux-audit@redhat.com

On Wednesday, February 08, 2012 12:04:57 PM Marcelo Cerri wrote:
> Auparse just removes single quotes at the end of a field value and leaves
> quotes at the beginning. With this patch, auparse removes quotes at the
> beggining of a parsed field value and handles double quotes at the same way
> as single quotes.

This would seem to be a mistake in the libvirt auditing code. They should not be 
adding quotes. The double quote has a special meaning, so I don't think we can 
or should patch around that. The single quote just shouldn't be there.

-Steve

> This is a simple test program to reproduce the problem:
> 
> -----
> int main() {
> 	const char *buffer= "type=VIRT_RESOURCE msg=audit(1327574186.046:174):
> user pid=6748 uid=0 auid=500 ses=1
> subj=unconfined_u:unconfined_r:unconfined_t:s0 msg='virt=kvm resrc=net
> reason=start vm=\"CentOS\" uuid=fb4149f5-9ff6-4095-f6d3-a1d03936fdfa
> old-net='?' new-net='52:54:00:DB:AE:B4 test': exe=\"/usr/sbin/libvirtd\"
> hostname=? addr=? terminal=? res=success'\n"; auparse_state_t *au =
> auparse_init(AUSOURCE_BUFFER, buffer);
> 	if (au == NULL) return -1;
> 	while (auparse_next_event(au) > 0) {
> 		printf("%s\n", auparse_find_field(au, "new-net"));
> 	}
> 	auparse_destroy(au);
> 	return 0;
> }
> 
> -----
> ---
>  auparse/ellist.c |    6 +++++-
>  1 files changed, 5 insertions(+), 1 deletions(-)
> 
> diff --git a/auparse/ellist.c b/auparse/ellist.c
> index eafcfee..8c3061d 100644
> --- a/auparse/ellist.c
> +++ b/auparse/ellist.c
> @@ -137,6 +137,9 @@ static int parse_up_record(rnode* r)
>  			// Remove beginning cruft of name
>  			if (*ptr == '(')
>  				ptr++;
> +			// Remove quotes
> +			if (*val == '\'' || *val == '"')
> +				val++;
>  			n.name = strdup(ptr);
>  			n.val = strdup(val);
>  			// Remove trailing punctuation
> @@ -149,7 +152,8 @@ static int parse_up_record(rnode* r)
>  				n.val[len-1] = 0;
>  				len--;
>  			}
> -			if (len && n.val[len-1] == '\'') {
> +			if (len && (n.val[len - 1] == '\''
> +					|| n.val[len - 1] == '"')) {
>  				n.val[len-1] = 0;
>  				len--;
>  			}