fix(sec): allow to set illegal characters for centcore (#7206)

* fix(sec): allow to set illegal characters for centcore

* add french translation for centcore illegal characters

* update properly centcore parameter in database

* move upgrade script

lang/fr_FR.UTF-8/LC_MESSAGES/help.po

@@ -384,6 +384,10 @@ msgstr ""
 "configuration du module Centreon Broker. Si l’option est désactivée, alors les "
 "données de statistiques ne seront pas visibles dans le menu dédié."
 
+#: centreon-web/www/include/Administration/parameters/centcore/help.php:26
+msgid "Illegal characters in external commands. Those characters will be removed before being interpreted by Centcore."
+msgstr "Caractères illégaux dans les commandes externes. Ces caractères seront supprimés avant d'être interprétés par Centcore."
+
 #: centreon-web/www/include/Administration/parameters/ldap/help.php:7
 msgid "Name of configuration"
 msgstr "Nom de la configuration"

lang/fr_FR.UTF-8/LC_MESSAGES/messages.po

@@ -4295,6 +4295,10 @@ msgstr ""
 msgid "Timeout value for Centcore commands"
 msgstr "Temps maximum d'exécution des commandes centcore"
 
+#: centreon-web/www/include/Administration/parameters/centcore/centcore.php:62
+msgid "Illegal characters for Centcore commands"
+msgstr "Caractères illégaux pour les commandes Centcore"
+
 #: centreon-web/www/include/Administration/parameters/api/api.php:77
 #: centreon-web/www/include/options/accessLists/groupsACL/formGroupConfig.php:175
 #: centreon-web/www/include/configuration/configObject/host/formHost.php:729

lib/perl/centreon/script/centcore.pm

@@ -63,6 +63,7 @@ sub new {
     $self->{service} = "service";
     $self->{timeout} = 5;
     $self->{cmd_timeout} = 5;
+    $self->{illegal_characters} = "";
 
     $self->{ssh} .= " -o ConnectTimeout=$self->{timeout} -o StrictHostKeyChecking=yes -o PreferredAuthentications=publickey -o ServerAliveInterval=10 -o ServerAliveCountMax=3 -o Compression=yes ";
     $self->{rsync} .= " --timeout=$self->{timeout} ";
@@ -421,6 +422,21 @@ sub checkSSHPort($) {
     return $port;
 }
 
+######################################################
+## Remove illegal characters from an external command.
+## Param : command line
+#
+sub removeIllegalCharacters($) {
+    my $self = shift;
+    my ($cmdLine) = @_;
+
+    return $cmdLine if (!defined($self->{illegal_characters}) || $self->{illegal_characters} eq '');
+
+    $cmdLine =~ s/[\Q$self->{illegal_characters}\E]//g;
+
+    return $cmdLine;
+}
+
 ################################################
 ## Send an external command on a remote server.
 ## Param : id_remote_server, external command
@@ -459,7 +475,7 @@ sub sendExternalCommand($$){
                         $cmd_line = "";
                         $count = 0;
                     } else {
-                        $cmd_line .= $cmd1."\n";
+                        $cmd_line .= $self->removeIllegalCharacters($cmd1) . "\n";
                     }
                     $count++;
                 }
@@ -493,7 +509,7 @@ sub sendExternalCommand($$){
             my @splittedCommands = split(/\n/, $cmd);
             my $countCommands = @splittedCommands;
             foreach my $cmd1 (@splittedCommands) {
-                $cmd_line .= $cmd1 . "\n";
+                $cmd_line .= $self->removeIllegalCharacters($cmd1) . "\n";
                 $count++;
                 $totalCount++;
 
@@ -1070,14 +1086,16 @@ sub parseRequest($){
 sub checkProfile() {
     my $self = shift;
 
-    my $request = "SELECT * FROM options WHERE `key` IN ('enable_perfdata_sync', 'enable_logs_sync', 'centcore_cmd_timeout', 'enable_broker_stats')";
+    my $request = "SELECT * FROM options "
+        . "WHERE `key` IN ('enable_perfdata_sync', 'enable_logs_sync', "
+        . "'centcore_cmd_timeout', 'enable_broker_stats', 'centcore_illegal_characters')";
     my ($status, $sth) =  $self->{centreon_dbc}->query($request);
     return -1 if ($status == -1);
     while ((my $data = $sth->fetchrow_hashref())) {
         if (defined($data->{key}) && $data->{key} ne "" && defined($data->{value}) && $data->{value} ne "") {
             if ($data->{key} eq "enable_perfdata_sync") {
                 $self->{perfdataSync} = $data->{value};
-            } 
+            }
             if ($data->{key} eq "enable_logs_sync") {
                 $self->{logSync} = $data->{value};
             }
@@ -1087,6 +1105,9 @@ sub checkProfile() {
             if ($data->{key} eq "enable_broker_stats") {
                 $self->{enable_broker_stats} = $data->{value};
             }
+            if ($data->{key} eq "centcore_illegal_characters") {
+                $self->{illegal_characters} = $data->{value};
+            }
         }
     }
     return 0;

www/include/Administration/parameters/DB-Func.php

@@ -301,6 +301,13 @@ function updateCentcoreConfigData($db, $form, $centreon)
         "centcore_cmd_timeout",
         isset($ret["centcore_cmd_timeout"]) && $ret['centcore_cmd_timeout'] ? $ret['centcore_cmd_timeout'] : 0
     );
+    updateOption(
+        $db,
+        "centcore_illegal_characters",
+        isset($ret["centcore_illegal_characters"]) && $ret['centcore_illegal_characters']
+            ? $ret['centcore_illegal_characters']
+            : ""
+    );
     $centreon->initOptGen($db);
 }
 

www/include/Administration/parameters/centcore/centcore.ihtml

@@ -14,6 +14,14 @@
         </tr>
         <tr class="list_two"><td class="FormRowField"><img class="helpTooltip" name="tip_enable_broker_stats">&nbsp;{$form.enable_broker_stats.label}</td><td class="FormRowValue">{$form.enable_broker_stats.html}</td></tr>
         <tr class="list_one"><td class="FormRowField"><img class="helpTooltip" name="tip_centcore_cmd_timeout">&nbsp;{$form.centcore_cmd_timeout.label}</td><td class="FormRowValue">{$form.centcore_cmd_timeout.html}&nbsp;{t}seconds{/t}</td></tr>
+        <tr class="list_two">
+            <td class="FormRowField">
+                <img class="helpTooltip" name="tip_centcore_illegal_characters">&nbsp;{$form.centcore_illegal_characters.label}
+            </td>
+            <td class="FormRowValue">
+                {$form.centcore_illegal_characters.html}
+            </td>
+        </tr>
     </table>
     {if !$valid}
         <div id="validForm" class="oreonbutton"><p>{$form.submitC.html}&nbsp;&nbsp;&nbsp;{$form.reset.html}</p></div>

www/include/Administration/parameters/centcore/centcore.php

@@ -59,6 +59,7 @@
 $form->addElement('checkbox', 'enable_broker_stats', _("Enable Broker Statistics Collection"));
 $form->addElement('text', 'centcore_cmd_timeout', _("Timeout value for Centcore commands"), $attrsText2);
 $form->addRule('centcore_cmd_timeout', _('Must be a number'), 'numeric');
+$form->addElement('text', 'centcore_illegal_characters', _("Illegal characters for Centcore commands"), $attrsText);
 
 $form->addElement('hidden', 'gopt_id');
 $redirect = $form->addElement('hidden', 'o');

www/include/Administration/parameters/centcore/help.php

@@ -23,3 +23,7 @@
     . " the network load generated by Centcore. Be carefull: broker statistics will not be"
     . " available into Home > Broker statistics."
 );
+$help['tip_centcore_illegal_characters'] = dgettext(
+    'help',
+    "Illegal characters in external commands. Those characters will be removed before being interpreted by Centcore."
+);

www/install/insertBaseConf.sql

@@ -139,7 +139,8 @@ INSERT INTO `options` (`key`, `value`) VALUES
 ('nagios_path_img','@centreon_dir@/www/img/media/'),
 ('selectPaginationSize', 60),
 ('display_downtime_chart','0'),
-('display_comment_chart','0');
+('display_comment_chart','0'),
+('centcore_illegal_characters', '`');
 
 --
 -- Contenu de la table `giv_components_template`

www/install/sql/centreon/Update-DB-18.10.3_to_18.10.4.sql

@@ -1,2 +1,5 @@
 -- Change version of Centreon
 UPDATE `informations` SET `value` = '18.10.4' WHERE CONVERT( `informations`.`key` USING utf8 ) = 'version' AND CONVERT ( `informations`.`value` USING utf8 ) = '18.10.3' LIMIT 1;
+
+-- Add default illegal characters for centcore external commands
+INSERT INTO `options` (`key`, `value`) VALUES ('centcore_illegal_characters', '`');