[vhffs-dev] [365] No more quotemeta in various classes ( SQL injection prevention is performed by prepared statements) |
[ Thread Index |
Date Index
| More vhffs.org/vhffs-dev Archives
]
- To: vhffs-dev@xxxxxxxxx
- Subject: [vhffs-dev] [365] No more quotemeta in various classes ( SQL injection prevention is performed by prepared statements)
- From: vhffs-dev@xxxxxxxxx
- Date: Mon, 04 Dec 2006 23:18:52 +0100
Revision: 365
Author: beuss
Date: 2006-12-04 19:53:05 +0000 (Mon, 04 Dec 2006)
Log Message:
-----------
No more quotemeta in various classes (SQL injection prevention is performed by prepared statements)
Added Vhffs::(User|Group|Object)::get_by_xxx to replace the new + fetch scheme, if someone uses vhffs API (does such a crazy people exists), use this new functions.
Modified Paths:
--------------
branches/vhffs_4.1/vhffs-api/src/Vhffs/Group.pm
branches/vhffs_4.1/vhffs-api/src/Vhffs/Object.pm
branches/vhffs_4.1/vhffs-api/src/Vhffs/User.pm
branches/vhffs_4.1/vhffs-backend/conf/vhffs.conf
branches/vhffs_4.1/vhffs-tests/src/Group.pl
branches/vhffs_4.1/vhffs-tests/src/Object.pl
branches/vhffs_4.1/vhffs-tests/src/User.pl
Modified: branches/vhffs_4.1/vhffs-api/src/Vhffs/Group.pm
===================================================================
--- branches/vhffs_4.1/vhffs-api/src/Vhffs/Group.pm 2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-api/src/Vhffs/Group.pm 2006-12-04 19:53:05 UTC (rev 365)
@@ -251,9 +251,7 @@
$sth = $dbh->prepare( $query ) or return undef;
$sth->execute($gid, $owner_uid, $owner_uid);
- my $group = new Vhffs::Group($main, $groupname, $gid);
- $group->fetch;
- return $group;
+ return get_by_gid($main, $gid);
}
#create a new group with the name given in parameter
@@ -808,6 +806,37 @@
}
+sub get_by_gid {
+ my ($vhffs, $gid) = @_;
+ my $query = 'SELECT g.gid, o.object_id, o.owner_uid, gi.uid_mod, g.groupname, g.passwd, g.quota, g.quota_used, o.date_creation, o.description, o.state FROM vhffs_groups g INNER JOIN vhffs_groups_info gi ON g.gid = gi.gid INNER JOIN vhffs_object o ON o.object_id = g.object_id WHERE g.gid = ?';
+
+ my $dbh = $vhffs->get_db_object;
+ my @params = $dbh->selectrow_array($query, undef, $gid);
+ my $group = _new Vhffs::Group($vhffs, @params);
+ return $group;
+}
+sub get_by_groupname {
+ my ($vhffs, $groupname) = @_;
+ my $query = 'SELECT g.gid, o.object_id, o.owner_uid, gi.uid_mod, g.groupname, g.passwd, g.quota, g.quota_used, o.date_creation, o.description, o.state FROM vhffs_groups g INNER JOIN vhffs_groups_info gi ON g.gid = gi.gid INNER JOIN vhffs_object o ON o.object_id = g.object_id WHERE g.groupname = ?';
+
+ my $dbh = $vhffs->get_db_object;
+ my @params = $dbh->selectrow_array($query, undef, $groupname);
+ my $group = _new Vhffs::Group($vhffs, @params);
+ return $group;
+}
+
+
+sub _new {
+ no strict 'refs';
+ my ($class, $main, $gid, $oid, $owner_uid, $uid_mod, $groupname, $passwd, $quota, $quota_used, $date_creation, $description, $state) = @_;
+ my $self = $class->SUPER::_new($main, $oid, $owner_uid, $date_creation, $description, $state);
+ return undef unless(defined $self);
+ foreach (qw (gid uid_mod groupname passwd quota quota_used) ) {
+ eval '$self->{$_} = $'.$_;
+ }
+ return $self;
+}
+
1;
Modified: branches/vhffs_4.1/vhffs-api/src/Vhffs/Object.pm
===================================================================
--- branches/vhffs_4.1/vhffs-api/src/Vhffs/Object.pm 2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-api/src/Vhffs/Object.pm 2006-12-04 19:53:05 UTC (rev 365)
@@ -98,6 +98,26 @@
return $self;
}
+sub _new {
+ my ($class, $main, $oid, $owner_uid, $date_creation, $description, $state) = @_;
+
+ $self = {};
+
+ bless($self, $class);
+
+ return undef unless(defined $main);
+
+ $self->{main} = $main;
+ $self->{db} = $main->get_db_object;
+ $self->{object_id} = $oid;
+ $self->{owner_uid} = $owner_uid;
+ $self->{date_creation} = $date_creation;
+ $self->{description} = $description;
+ $self->{state} = $state;
+
+ return $self;
+}
+
sub get_main
{
my $self = shift;
@@ -259,8 +279,6 @@
my $self = shift;
my $request;
- $self->{description} = quotemeta $self->{description};
-
$request = 'UPDATE vhffs_object SET state=?, description=?, owner_uid=? WHERE object_id=?';
my $result = $self->{'db'}->prepare($request);
$result->execute( $self->{'state'} , $self->{'description'} , $self->{'owner_uid'} , $self->{'object_id'} );;
@@ -366,7 +384,7 @@
{
my ($self , $value) = @_;
$value =~ s/\?/ \?/g;
- $self->{'description'} = quotemeta( $value );
+ $self->{'description'} = $value ;
}
@@ -380,7 +398,7 @@
{
my $self = shift;
my $message = shift;
- $message = quotemeta( $message );
+ $message = $message;
$query = 'INSERT INTO vhffs_history(object_id, date, message) VALUES(?, NOW(), ?)';
$request = $self->{'db'}->prepare( $query );
@@ -483,8 +501,23 @@
return undef;
}
+sub get_by_id
+{
+ my ($vhffs, $oid) = @_;
+ my $query = 'SELECT owner_uid, date_creation, state, description FROM vhffs_object WHERE object_id =?';
+ my $sth = $vhffs->get_db_object->prepare( $query );
+ my $rows = $sth->execute( $oid );
+ return undef unless $rows == 1;
+ my $result = $sth->fetchrow_hashref();
+
+ my $object = _new Vhffs::Object($vhffs, $oid, $result->{owner_uid}, $result->{date_creation}, $result->{description}, $result->{state});
+
+ return $object;
+}
+
+
1;
__END__
Modified: branches/vhffs_4.1/vhffs-api/src/Vhffs/User.pm
===================================================================
--- branches/vhffs_4.1/vhffs-api/src/Vhffs/User.pm 2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-api/src/Vhffs/User.pm 2006-12-04 19:53:05 UTC (rev 365)
@@ -79,6 +79,27 @@
bless( $this , $class );
}
+sub _new {
+ my ($class, $main, $uid, $gid, $oid, $username, $passwd, $homedir, $shell, $admin, $firstname, $lastname, $address, $zipcode, $city, $country, $mail, $gpg_key, $date_creation, $description, $state) = @_;
+ my $self = $class->SUPER::_new($main, $oid, $uid, $date_creation, $description, $state);
+ return undef unless(defined $self);
+ $self->{uid} = $uid;
+ $self->{gid} = $gid;
+ $self->{username} = $username;
+ $self->{passwd} = $passwd;
+ $self->{homedir} = $homedir;
+ $self->{shell} = $shell;
+ $self->{admin} = $admin;
+ $self->{firstname} = $firstname;
+ $self->{lastname} = $lastname;
+ $self->{address} = $address;
+ $self->{zipcode} = $zipcode;
+ $self->{city} = $city;
+ $self->{country} = $country;
+ $self->{mail} = $mail;
+ $self->{gpg_key} = $gpg_key;
+ return $self;
+}
sub exists
{
@@ -173,7 +194,6 @@
return 1;
}
-
#add a user to a group
sub add_group
{
@@ -280,6 +300,7 @@
}
#create a new user with username and password
+# !!! DEPRECATED !!!
sub old_create
{
my $self;
@@ -688,7 +709,7 @@
{
my $self = shift;
my $value = shift;
- $self->{'shell'} = quotemeta $value;
+ $self->{'shell'} = $value;
}
@@ -696,21 +717,21 @@
{
my $self = shift;
my $value = shift;
- $self->{'firstname'} = quotemeta $value;
+ $self->{'firstname'} = $value;
}
sub set_lastname
{
my $self = shift;
my $value = shift;
- $self->{'lastname'} = quotemeta $value;
+ $self->{'lastname'} = $value;
}
sub set_city
{
my $self = shift;
my $value = shift;
- $self->{'city'} = quotemeta $value;
+ $self->{'city'} = $value;
}
@@ -726,14 +747,14 @@
{
my $self = shift;
my $value = shift;
- $self->{'country'} = quotemeta $value;
+ $self->{'country'} = $value;
}
sub set_address
{
my $self = shift;
my $value = shift;
- $self->{'address'} = quotemeta $value;
+ $self->{'address'} = $value;
}
sub set_mail
@@ -924,6 +945,29 @@
return $row->[0];
}
+sub get_by_uid {
+ my ($main, $uid) = @_;
+ my $query = 'SELECT u.uid, u.gid, u.object_id, u.username, u.passwd, u.homedir, u.shell, u.admin, ui.firstname, ui.lastname, ui.address, ui.zipcode, ui.city, ui.country, ui.mail, ui.gpg_key, o.date_creation, o.description, o.state FROM vhffs_users u INNER JOIN vhffs_user_info ui ON u.uid = ui.uid INNER JOIN vhffs_object o ON o.object_id = u.object_id WHERE u.uid = ?';
+ my $dbh = $main->get_db_object;
+ my @params = $dbh->selectrow_array($query, undef, $uid);
+ return undef unless(@params);
+ my $user = _new Vhffs::User($main, @params);
+ $user->{group} = Vhffs::Group::get_by_gid($main, $user->get_gid);
+ return $user;
+}
+
+sub get_by_username {
+ my ($main, $username) = @_;
+ my $query = 'SELECT u.uid, u.gid, u.object_id, u.username, u.passwd, u.homedir, u.shell, u.admin, ui.firstname, ui.lastname, ui.address, ui.zipcode, ui.city, ui.country, ui.mail, ui.gpg_key, o.date_creation, o.description, o.state FROM vhffs_users u INNER JOIN vhffs_user_info ui ON u.uid = ui.uid INNER JOIN vhffs_object o ON o.object_id = u.object_id WHERE u.username = ?';
+ my $dbh = $main->get_db_object;
+ my @params = $dbh->selectrow_array($query, undef, $username);
+ return undef unless(@params);
+ my $user = _new Vhffs::User($main, @params);
+ $user->{group} = Vhffs::Group::get_by_gid($main, $user->get_gid);
+ return $user;
+
+}
+
1;
__END__
Modified: branches/vhffs_4.1/vhffs-backend/conf/vhffs.conf
===================================================================
--- branches/vhffs_4.1/vhffs-backend/conf/vhffs.conf 2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-backend/conf/vhffs.conf 2006-12-04 19:53:05 UTC (rev 365)
@@ -132,7 +132,6 @@
#the default configuration for users
<users>
minuid = 10000
- homedir = /home/
shell = /usr/bin/tuxshell
mingid = 10000
default_quota = 50
@@ -192,8 +191,8 @@
20 = mx2.hoster.org
</mx>
<ns>
- ns1.tf.o
- zefz
+ ns1.hoster.org
+ ns2.hoster.org
</ns>
</init>
</dns>
Modified: branches/vhffs_4.1/vhffs-tests/src/Group.pl
===================================================================
--- branches/vhffs_4.1/vhffs-tests/src/Group.pl 2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-tests/src/Group.pl 2006-12-04 19:53:05 UTC (rev 365)
@@ -36,6 +36,9 @@
$group2->fetch;
is_deeply($group2, $group1, 'Fetched group matches created group');
+my $group2a = Vhffs::Group::get_by_gid($main, $group2->get_gid);
+is_deeply($group2a, $group2, 'New fashion of fetching group is OK');
+
ok($group1->is_user_in_group($user1), 'Moderator is in group');
ok($group2->add_user( $user2 ), 'Other user can be added');
ok($group1->is_user_in_group($user2), 'Second user addition visible in group1');
Modified: branches/vhffs_4.1/vhffs-tests/src/Object.pl
===================================================================
--- branches/vhffs_4.1/vhffs-tests/src/Object.pl 2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-tests/src/Object.pl 2006-12-04 19:53:05 UTC (rev 365)
@@ -29,6 +29,8 @@
cmp_ok($obj2->fetch, '>', 0, 'Object fetched');
is_deeply($obj1, $obj2, 'Fetched object matches created object');
+my $obj2b = Vhffs::Object::get_by_id($main, $oid1);
+is_deeply($obj2b, $obj2);
my $history = $obj1->get_history;
is(scalar(keys %{$history}), 1, 'One history entry');
Modified: branches/vhffs_4.1/vhffs-tests/src/User.pl
===================================================================
--- branches/vhffs_4.1/vhffs-tests/src/User.pl 2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-tests/src/User.pl 2006-12-04 19:53:05 UTC (rev 365)
@@ -37,7 +37,8 @@
cmp_ok($user3->get_uid, '==', $uid1, 'Fetched UID matches');
is_deeply($user3, $user1, 'Fetched user is a copy of original');
-cmp_ok($user3->get_username, 'eq', 'test1', 'Fetched username matches');
+my $user3a = Vhffs::User::get_by_uid($main, $uid1);
+is_deeply($user3a, $user3, 'New fashion of fetching users');
$user3->set_admin(1);
cmp_ok($user3->commit, '>', 0, 'Third user\'s modifications committed');