Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon4.gif   elog client can set arbitrary values to locked attributes, posted by David Potterveld on Mon Nov 10 16:56:08 2008 
    icon2.gif   Re: elog client can set arbitrary values to locked attributes, posted by Stefan Ritt on Mon Nov 17 11:20:28 2008 
       icon2.gif   Re: elog client can set arbitrary values to locked attributes, posted by Stefan Ritt on Mon Nov 17 11:39:03 2008 
Message ID: 66053     Entry time: Mon Nov 17 11:20:28 2008     In reply to: 66038     Reply to this: 66054
Icon: Reply  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Bug report  OS: Linux  ELOG Version: 2.7.5-2135 
Subject: Re: elog client can set arbitrary values to locked attributes 

 

David Potterveld wrote:

When submitting entries via the elog client, I find that I can set arbitrary values for attributes that are supposedly "preset" and "locked".

As an example, I have in my elogd.cfg file:

[global]

...

Group Operations = Accelerator

Top group ATLAS = Operations

...

[global ATLAS]

Attributes = Experiment, Author, Author Email, Category, Subject
Required Attributes = Category, Subject
Options Category = Routine entry, Shift summary, Problem, Fix, Question, Info, Other
Extendable Options = Category

Preset Experiment =
Preset Author = $long_name
Preset Author Email = $user_email
Locked Attributes = Experiment, Author, Author Email

...

[Accelerator]
Attributes = Author, Author Email, Category, Subject
Options Category = Routine entry, Shift summary, Problem, Fix, Question, Info, Other

...

This works as intended with a web client (firefox). The Author and Author Email attributes are preset and unchangeable.

However, if I use the elog client, as in:

elog -v -h my.apache-proxy.server -d elog -l Accelerator -p 443 -s -u johndoe xxxxx -a Category=LN -a Subject=Test -a Author=IDoNotExist -n 1 -m entry.txt 
(johndoe is an existing user)

 
The entry is created with "IDoNotExist" as the Author name, instead of the correct name for the user johndoe,
and the Author Email attribute is blank.

Is there a way to enforce preset and locked attributes in the elogd server? (As a client could connect
with any arbitrary software, not just elog.)

 

Indeed "preset" and "locked" attributes are not obeyed if entries are submitted via the elog tool. The is because if you use a browser, the input form is created by elogd. If you use a locked attribute, the input filed for that attribute is not shown for example. If you use the elog tool, it directly submits an entry not knowing anything about the input form. To make this work, elog would first have to request the input form, then interprete all the HTML, figure out if an attribute is locked or not, then display an error if you try to submit that attribute. Since parsing of HTML is not implemented in elog, this is currently not possible. 

Originally I thought that this is not such a problem. Mostly elog is used to produce some automatic entries, where the authorship is of minor interest. But I guess you are afraid that one use could submit an entry under another user's name, right? Well, I hoped that in scientific collaborations nobody is that evil ;-)

Well, I will try to do something here in order to fix this. Will come back to you.

ELOG V3.1.5-fe60aaf