XML export/import in 2.0
(ZBX-4867)
[ZBX-5116] excess escaping and newlines in api xml export Created: 2012 Jun 02 Updated: 2016 Dec 13 Resolved: 2016 Dec 13 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | API (A) |
Affects Version/s: | None |
Fix Version/s: | 3.4.0alpha1 |
Type: | Sub-task | Priority: | Major |
Reporter: | richlv | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 1 |
Labels: | escaping, export, xml | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Description |
configuration.export seems to have some issues : a) in the export, slashes are escaped by backslashing them. this doesn't seem to be necessary, and does not match the example at http://www.zabbix.com/documentation/2.0/manual/appendix/api/configuration/export b) there are two excess newlines : |
Comments |
Comment by Pavels Jelisejevs (Inactive) [ 2012 Sep 11 ] |
a) Slashes are not escaped in XML, but when encoding it in JSON, according to JSON standards. b) This is a feature of the PHP XMLWriter class we're using, we can't disable it. CLOSED. |
Comment by richlv [ 2012 Sep 11 ] |
a) json standard does not seem to mandate escaping slashes. All Unicode characters may be placed within the quotation marks except for the characters that must be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F). " quotation mark U+0022 (above from http://www.ietf.org/rfc/rfc4627.txt) or am i missing something here ? <pavels> Yeah, sorry, it does not require to encode slashes, but most of the JSON encoders (including the standard json_encode() function in PHP <5.4 and the one we use) does that by default, so it could be easily embedded in the <script> tag. Another built in feature we can't turn off. <richlv> http://php.net/manual/en/function.json-encode.php has JSON_UNESCAPED_SLASHES mentioned. what is it ? oh, right, that's since 5.4.0. let's use it on >= 5.4.0 then <pavels> I don't think it's a good idea to make APIs output dependent on the version of PHP. <richlv> dammit. but good point. can we just strip slash escaping ? |
Comment by richlv [ 2015 Dec 25 ] |
with zabbix 3.0 requiring php 5.4, this issue should be easy to solve now |
Comment by richlv [ 2015 Dec 25 ] |
also see |
Comment by Aleksandrs Saveljevs [ 2016 Oct 17 ] |
Also see (11) in |
Comment by vitalijs.cemeris (Inactive) [ 2016 Nov 09 ] |
Fixed in the development branch svn://svn.zabbix.com/branches/dev/ZBX-5116 |
Comment by Ivo Kurzemnieks [ 2016 Nov 09 ] |
(1) Translation strings? vitalijs.cemeris No translation strings changed. iivs CLOSED |
Comment by vitalijs.cemeris (Inactive) [ 2016 Nov 22 ] |
(2) Encoding to JSON text should not escape forward slashes in export or any result of API request, however for other cases forward slashes should be escaped for security reasons. RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-5116 iivs CLOSED |
Comment by richlv [ 2016 Nov 22 ] |
vitalijs.cemeris, is there a summary somewhere on what are the security reasons ? vitalijs.cemeris: When using encodeJson() for inserting string in javascript it must escape forward slashes, because HTML will consider </script> as closing tag. <richlv> thanks. where does zabbix put the exported data in javascript ? vitalijs.cemeris Nowhere, in exported data and all API results forward slashes are not escaped anymore. As for other places where encode to JSON is used forward slashes are escaped. iivs Give an example where unescaping a forward slash breaks the functionality. vitalijs.cemeris For example when requesting with invalid dstfrm parameter in popup_httpstep.php http://localhost/popup_httpstep.php?dstfrm=</script><script>alert(document.cookie);</script> This will execute client side script for example in firefox. As for chrome XSS auditor will refuse to execute script. <richlv> vitalijs.cemeris, i might have misunderstood this comment : "Encoding to JSON format should not escape forward slashes in export or any result of API request, however for other cases forward slashes should be escaped for security reasons." - here, json refers to the api in general, not just the json configuration export format, right ? vitalijs.cemeris Yes, when exporting in json or xml export format forward slashes are not escaped anymore. <richlv> thanks a lot, sounds great |
Comment by Ivo Kurzemnieks [ 2016 Nov 23 ] |
TESTED |
Comment by vitalijs.cemeris (Inactive) [ 2016 Nov 24 ] |
Fixed in pre-3.3.0 (r63970) |
Comment by vitalijs.cemeris (Inactive) [ 2016 Nov 24 ] |
(3) [D] API documentation:
RESOLVED martins-v Reviewed, with a small grammar fix. CLOSED iivs Why is it backwards incompatible? It affects only encoding, not decoding. REOPENED vitalijs.cemeris Moved to list of other changes and bug fixes RESOLVED martins-v Looks good. CLOSED |