[augeas-devel] escaping special characters in the path sent to aug_get()

Wed Jan 21 01:56:04 UTC 2015

Hi all,

sorry for responding this extremely late - one day, I'll get the hang of
this email thing; this somehow completely slipped through the cracks.

One of the completely underdocumented things is that path expressions are
actually typed, and evaluating them can produce values of a number of types
(enum type in patxh.c:60)

When you say 'match /some/thing', Augeas simply evaluates the path
expression, and afterwards the match command insists that the result of
evaluating is a nodeset (T_NODESET) .. playing with this in augtool is made
a little harder by augtool doing its own quoting, but if you type 'match
2+2' or 'match "'foo'"' augtool will complain with "Invalid path
expression: type error" because those two path expressions evaluate to a
number resp. a string, not a nodeset.

The upside is that when you do defvar you can set a variable not just to a
nodeset, but also to a string - again, in augtool, you need to take some
care to get quoting right; for example doing 'defvar x "'foo'"' will set x
to the string 'foo', and not the nodeset matching 'foo'. That way, you can
get the effect of a 'defconst' by setting a variable to a string.

You can also follows Dom's suggestion of using a path expression like
/some/path/*[label() = ' strange string with stuff '] or of course
/some/path/*[label() = $x]. So richard's example will work with a minor
tweak, namely that you need to say 'defvar username "'root'"' in augtool.

Note that you use a path like this, call aug_match, and then call aug_get
on each of the returned matches, you can still get errors because the paths
that aug_match returns can still be invalid - augtool trips over that since
calling 'match' in augtool first calls aug_match and then aug_get for each
of the paths that aug_match returned.

To make up for the extremely slow response, I opened a pull request that
hopefully addresses all this:
https://github.com/hercules-team/augeas/pull/198

I'd highly appreciate review(s) of these patches as they root around in
some Augeas internals that shouldn't be disturbed ;)

David

On Wed, Dec 10, 2014 at 5:21 AM, Richard W.M. Jones <rjones at redhat.com>
wrote:

> On Wed, Dec 10, 2014 at 12:38:55PM +0000, Dominic Cleal wrote:
> > Here's another idea:
> >
> >   get /files/sys/class/net/*[label()='em1']/address/content
> >
> > Instead of putting the unsanitised content directly into the path, you
> > put it into the quoted string, which significantly reduces the amount of
> > escaping required.
> >
> > To escape safely in that string, you'd double any slashes (as there are
> > some escape codes) and remove any single quotes (it appears to me that
> > escaping quotes doesn't work).
> >
> > I agree about the direction of an aug_defconst or aug_escape though, the
> > API should be able to help more with unsanitised data.
>
> I'm having a hard time making variables work at all.
>
> For example, is the second set of commands below supposed to work?
>
> augtool> get /files/etc/passwd/*[label()='root']/uid
> /files/etc/passwd/*[label()='root']/uid = 0
>
> augtool> defvar username root
> augtool> get /files/etc/passwd/*[label()=$username]/uid
> /files/etc/passwd/*[label()=$username]/uid (o)
> augtool> get /files/etc/passwd/*[label()='$username']/uid
> /files/etc/passwd/*[label()='$username']/uid (o)
> augtool> get /files/etc/passwd/*[label()=username]/uid
> /files/etc/passwd/*[label()=username]/uid (o)
>
> _If_ that worked, then implementing aug_defconst would allow us to
> sanitize user input quite cleanly.
>
> Rich.
>
> --
> Richard Jones, Virtualization Group, Red Hat
> http://people.redhat.com/~rjones
> Read my programming and virtualization blog: http://rwmj.wordpress.com
> virt-df lists disk usage of guests without needing to install any
> software inside the virtual machine.  Supports Linux and Windows.
> http://people.redhat.com/~rjones/virt-df/
>
> _______________________________________________
> augeas-devel mailing list
> augeas-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/augeas-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/augeas-devel/attachments/20150120/45217e77/attachment.htm>