Bug 170553 - RPC API doesn't excape strings propperly
Summary: RPC API doesn't excape strings propperly
Alias: None
Product: Red Hat Network
Classification: Red Hat
Component: RHN/Other   
(Show other bugs)
Version: rhn400
Hardware: All Linux
Target Milestone: ---
Assignee: Jesus M. Rodriguez
QA Contact: Ken Ganong
Depends On:
Blocks: 171832
TreeView+ depends on / blocked
Reported: 2005-10-12 20:27 UTC by Jack Neely
Modified: 2007-04-18 17:32 UTC (History)
3 users (show)

Fixed In Version: rhn410
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-20 00:31:57 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
xmlrpclib in verbose mode (292.81 KB, text/plain)
2005-10-12 20:30 UTC, Jack Neely
no flags Details

Description Jack Neely 2005-10-12 20:27:59 UTC
Description of problem:
I'm running a simple python XMLRPC client against the RHN API, which I do know
is experimental.

On calling system.list_groups() I get the following traceback:

xml.parsers.expat.ExpatError: not well-formed (invalid token): line 422, column 86

It appears that the RHN API doesn't propperly escape characters in group names
specifically.  As "<string>UNC-CH Center for Functional GI & Motility
Disorders</string>" is not valid.

Version-Release number of selected component (if applicable):
rhn.redhat.com 4.0.0

How reproducible:
Make a group with a & in it

Comment 1 Jack Neely 2005-10-12 20:30:09 UTC
Created attachment 119850 [details]
xmlrpclib in verbose mode

This is the output of my python script with xmlrpclib in verbose mode.	Note
the bad XML.

Comment 4 Jesus M. Rodriguez 2006-06-03 01:07:09 UTC
1) create a system group with an ampersand in its name (see original comment)
2) call system.list_groups with the user used to create the above system group.
3) verify the XML returned is properly escaped and that the client gets
   the proper value, that is system group returned to client must match that
   in web ui.

Comment 5 Todd Sanders 2006-06-08 14:32:05 UTC
Reassigning QA responsibility to Ken

Comment 7 Ken Ganong 2006-06-08 17:50:26 UTC
The API now escapes all kinds of crazy characters I threw at it.
However, the website doesn't seem to be as robust,  see bug #194515

This bug fix is now verified.

Comment 8 Beth Nackashi 2006-07-20 00:31:57 UTC
closing - currentrelease

Note You need to log in before you can comment on or make changes to this bug.