[ZBX-9087] Validation expression template for request parameter validator DB_ID is not completely functional Created: 2014 Nov 28  Updated: 2017 May 30  Resolved: 2015 Mar 04

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 2.0.13, 2.2.7, 2.4.2
Fix Version/s: 2.0.15rc1, 2.2.9rc1, 2.4.4rc1, 2.5.0

Type: Incident report Priority: Critical
Reporter: Krists Krigers (Inactive) Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: validation
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Expression template for DB_ID validator has unnecessary single quotes around first argument to bccomp():

define('DB_ID',		"({}>=0&&bccomp('{}',\"10000000000000000000\")<0)&&");

When actually used in validation process, it produces following PHP code in function calc_exp2():

return (($_REQUEST["qqq"]["0"]>=0&&bccomp('$_REQUEST["qqq"]["0"]',"10000000000000000000")<0)) ? 1 : 0;

Expression part with bccomp() in it will always evaluate to true, regardless of value in request.

 Comments   
Comment by Krists Krigers (Inactive) [ 2014 Dec 01 ]

Base fix for 2.0 is done in r50947 and r50948, branch svn://svn.zabbix.com/branches/dev/ZBX-9087.

Comment by Ivo Kurzemnieks [ 2015 Jan 30 ]

(1) No translation string changes.

sasha CLOSED

Comment by Ivo Kurzemnieks [ 2015 Jan 30 ]

(2)

  • Action operation editing seems to be borken now. Warning. Incorrect value for field "edit_operationid".
  • Host inventories overview got broken. Critical error. Incorrect value "alias" for "groupby" field.

iivs RESOLVED in r51945

sasha CLOSED

Comment by Alexander Vladishev [ 2015 Feb 02 ]

(3) Incorrect validation:

In versions 2.0 and 2.2 the range can be from 0 to 99999999999999999
2.4 and later - from 0 to 9223372036854775807 (ZBX_DB_MAX_ID)

SQL errors occurs when trying to open link with big identifier: hosts.php?form=update&hostid=9999999999999999999

    pg_query(): Query failed: ERROR: value "9999999999999999999" is out of range for type bigint LINE 1: SELECT h.hostid FROM hosts h WHERE h.hostid='9999999999999... ^ [include/db.inc.php:440]
    Error in query [SELECT h.hostid FROM hosts h WHERE h.hostid='9999999999999999999' AND h.status IN (0,1,3)] [ERROR: value "9999999999999999999" is out of range for type bigint LINE 1: SELECT h.hostid FROM hosts h WHERE h.hostid='9999999999999... ^]

iivs RESOLVED in r51967

sasha CLOSED

Comment by Ivo Kurzemnieks [ 2015 Feb 09 ]

Upper bound of DB_ID is now "99999999999999999" for 2.0 and 2.2, and "9223372036854775807" for 2.4 and 2.5.0 (trunk).

Fixed in:

  • pre-2.0.15rc1 r52070
  • pre-2.2.9rc1 r52072
  • pre-2.4.4rc1 r52073
  • pre-2.5.0 (trunk) r52074
Comment by Oleg Egorov (Inactive) [ 2015 Feb 10 ]

(4) Parse error: syntax error, unexpected ''sort'' (T_CONSTANT_ENCAPSED_STRING), expecting ')' in C:\xampp\htdocs\trunk\frontends\php\hostinventoriesoverview.php on line 37

In Inventory->Overview

oleg.egorov Fixed syntax error in r52141

sasha CLOSED

Comment by Oleg Egorov (Inactive) [ 2015 Feb 10 ]

Fixed in 2.4.4rc1 r52142, 2.5.0 r52143
CLOSED

Comment by Oleg Egorov (Inactive) [ 2015 Feb 25 ]

(5) Reports->Bar reports->Distribution of values for multiple periods
Select 1 item

bccomp() expects parameter 1 to be string, array given [report6.php:72 → check_fields() → check_field() → calc_exp() → calc_exp2() → eval() → bccomp() in C:\xampp\htdocs\trunk\frontends\php\include\validate.inc.php(105) : eval()'d code:1]

iivs Although there is no error in 2.0, I removed DB_ID validation for array in profile.php. Those are not real IDs from DB, just an array of integers.

RESOLVED for 2.0 in svn://svn.zabbix.com/branches/dev/ZBX-9087 r52472
RESOLVED for >=2.2 in svn://svn.zabbix.com/branches/dev/ZBX-9087-22 r52474

sasha This was moved to a separate ZBX-9369 because this regression was included into version 2.4.4.

Development branches was moved to ZBX-9369 and ZBX-9369-22

CLOSED

Generated at Sat Apr 20 13:26:21 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.