Character '#' in configuration is not being handled properly

Question

Character '#' in configuration is not being handled properly

Opened this issue 6 years ago · 2 comments

If the configuration contains the character '#' the script will fail with the following traceback:

Traceback (most recent call last):
  File "./pyFG-test.py", line 16, in <module>
    d.load_config(sys.argv[3])
  File "build/bdist.linux-x86_64/egg/pyFG/fortios.py", line 215, in load_config
  File "build/bdist.linux-x86_64/egg/pyFG/forticonfig.py", line 377, in parse_config_output
AttributeError: 'NoneType' object has no attribute 'get_block_names'

It seems that the character '#' is considered harmful for most parts of the configuration, usually trying to use it fails in the following way:

 # config firewall address
 (address) # edit "test#"

The string contains XSS vulnerability characters

value parse error before 'test#'
Command fail. Return code -173

At least vpn ssl web user-bookmark allows the character:

 # config vpn ssl web user-bookmark
 (user-bookmark) # edit "test#"
new entry 'test#' added
 (test#) # end
 show vpn ssl web user-bookmark
config vpn ssl web user-bookmark
    edit "test#"
    next
end

I actually see no reason why that character is part of the configuration and I will most likely remove it. There also is a chance of this being a FortiOS issue in case this character should not be allowed at all in any part of the configuration. Maybe you can and want to fix this, otherwise it is at least documented.

Answer 1 · 2018-08-09T10:34:07.000Z

It seems that this is not a FortiOS issue, the "#" character seems to be intentionally used here as a delimiter between user and user group. Old documentation (http://docs-legacy.fortinet.com/fgt/handbook/cli52_html/index.html#page/FortiOS%205.2%20CLI/config_vpn.26.22.html) suggests and testing shows that syntax like "<user#grp_name>" is expected. This would look like follows in the configuration:

config vpn ssl web user-bookmark
    edit "user#grp_name"
    next
end

Answer 2 · 2018-08-09T16:16:27.000Z

This is happening due to prompt recognition in pyFG/fortios.py. line.split('#') is used to detect the prompt, but as the character may also be part of the configuration this can lead to false positives.

The CLI prompt in FortiOS 5.2, 5.6 and 6.0 looks as follows (whitespace marked with "_"):
<hostname>_#_

In this particular configuration example whitespace before and after the "#" is not allowed, the firewall returns the following error if there is any: table name cannot have leading or trailing spaces

So instead of matching with line.split('#') we could match with line.split(' # '), see also pull request #32.

Removing the prompt recognition yields identical results when reading running configuration for me, but I have not checked if the prompt recognition is required by any other tasks like changing the configuration, someone else may advise.