[vhffs-dev] [365] No more quotemeta in various classes ( SQL injection prevention is performed by prepared statements)

[ Thread Index | Date Index | More vhffs.org/vhffs-dev Archives ]


Revision: 365
Author:   beuss
Date:     2006-12-04 19:53:05 +0000 (Mon, 04 Dec 2006)

Log Message:
-----------
No more quotemeta in various classes (SQL injection prevention is performed by prepared statements)
Added Vhffs::(User|Group|Object)::get_by_xxx to replace the new + fetch scheme, if someone uses vhffs API (does such a crazy people exists), use this new  functions.

Modified Paths:
--------------
    branches/vhffs_4.1/vhffs-api/src/Vhffs/Group.pm
    branches/vhffs_4.1/vhffs-api/src/Vhffs/Object.pm
    branches/vhffs_4.1/vhffs-api/src/Vhffs/User.pm
    branches/vhffs_4.1/vhffs-backend/conf/vhffs.conf
    branches/vhffs_4.1/vhffs-tests/src/Group.pl
    branches/vhffs_4.1/vhffs-tests/src/Object.pl
    branches/vhffs_4.1/vhffs-tests/src/User.pl


Modified: branches/vhffs_4.1/vhffs-api/src/Vhffs/Group.pm
===================================================================
--- branches/vhffs_4.1/vhffs-api/src/Vhffs/Group.pm	2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-api/src/Vhffs/Group.pm	2006-12-04 19:53:05 UTC (rev 365)
@@ -251,9 +251,7 @@
     $sth = $dbh->prepare( $query ) or return undef;
     $sth->execute($gid, $owner_uid, $owner_uid);
     
-    my $group = new Vhffs::Group($main, $groupname, $gid);
-    $group->fetch;
-    return $group;
+    return get_by_gid($main, $gid);
 }
 
 #create a new group with the name given in parameter
@@ -808,6 +806,37 @@
 
 }
 
+sub get_by_gid {
+    my ($vhffs, $gid) = @_;
+    my $query = 'SELECT g.gid, o.object_id, o.owner_uid, gi.uid_mod, g.groupname, g.passwd, g.quota, g.quota_used, o.date_creation, o.description, o.state FROM vhffs_groups g INNER JOIN vhffs_groups_info gi ON g.gid = gi.gid INNER JOIN vhffs_object o ON o.object_id = g.object_id WHERE g.gid = ?';
+    
+    my $dbh = $vhffs->get_db_object;
+    my @params = $dbh->selectrow_array($query, undef, $gid);
+    my $group = _new Vhffs::Group($vhffs, @params);
+    return $group;
+}
 
+sub get_by_groupname {
+    my ($vhffs, $groupname) = @_;
+    my $query = 'SELECT g.gid, o.object_id, o.owner_uid, gi.uid_mod, g.groupname, g.passwd, g.quota, g.quota_used, o.date_creation, o.description, o.state FROM vhffs_groups g INNER JOIN vhffs_groups_info gi ON g.gid = gi.gid INNER JOIN vhffs_object o ON o.object_id = g.object_id WHERE g.groupname = ?';
+
+    my $dbh = $vhffs->get_db_object;
+    my @params = $dbh->selectrow_array($query, undef, $groupname);
+    my $group = _new Vhffs::Group($vhffs, @params);
+    return $group;
+}
+
+
+sub _new {
+    no strict 'refs';
+    my ($class, $main, $gid, $oid, $owner_uid, $uid_mod, $groupname, $passwd, $quota, $quota_used, $date_creation, $description, $state) = @_;
+    my $self = $class->SUPER::_new($main, $oid, $owner_uid, $date_creation, $description, $state);
+    return undef unless(defined $self);
+    foreach (qw (gid uid_mod groupname passwd quota quota_used) ) {
+        eval '$self->{$_} = $'.$_;
+    }
+    return $self;
+}
+
 1;
 

Modified: branches/vhffs_4.1/vhffs-api/src/Vhffs/Object.pm
===================================================================
--- branches/vhffs_4.1/vhffs-api/src/Vhffs/Object.pm	2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-api/src/Vhffs/Object.pm	2006-12-04 19:53:05 UTC (rev 365)
@@ -98,6 +98,26 @@
     return $self;
 }
 
+sub _new {
+    my ($class, $main, $oid, $owner_uid, $date_creation, $description, $state) = @_;
+    
+    $self = {};
+
+    bless($self, $class);
+
+    return undef unless(defined $main);
+
+    $self->{main} = $main;
+    $self->{db} = $main->get_db_object;
+    $self->{object_id} = $oid;
+    $self->{owner_uid} = $owner_uid;
+    $self->{date_creation} = $date_creation;
+    $self->{description} = $description;
+    $self->{state} = $state;
+    
+    return $self;
+}
+
 sub get_main
 {
     my $self = shift;
@@ -259,8 +279,6 @@
     my $self = shift;
     my $request;
 
-	$self->{description} = quotemeta $self->{description};
-
     $request = 'UPDATE vhffs_object SET state=?, description=?, owner_uid=? WHERE object_id=?';
     my $result = $self->{'db'}->prepare($request);
     $result->execute( $self->{'state'} , $self->{'description'} , $self->{'owner_uid'} , $self->{'object_id'} );;
@@ -366,7 +384,7 @@
 {
 	my ($self , $value) = @_;
 	$value =~ s/\?/ \?/g;
-	$self->{'description'} = quotemeta( $value );
+	$self->{'description'} = $value ;
 }
 
 
@@ -380,7 +398,7 @@
 {
 	my $self = shift;
 	my $message = shift;
-	$message = quotemeta( $message );
+	$message = $message;
 
 	$query = 'INSERT INTO vhffs_history(object_id, date, message)  VALUES(?, NOW(), ?)';
 	$request = $self->{'db'}->prepare( $query );
@@ -483,8 +501,23 @@
     return undef;
 }
 
+sub get_by_id
+{
+    my ($vhffs, $oid) = @_;
+    my $query = 'SELECT owner_uid, date_creation, state, description FROM vhffs_object WHERE object_id =?';
+    my $sth = $vhffs->get_db_object->prepare( $query );
+    my $rows = $sth->execute( $oid );
 
+    return undef unless $rows == 1;
 
+    my $result = $sth->fetchrow_hashref();
+
+    my $object = _new Vhffs::Object($vhffs, $oid, $result->{owner_uid}, $result->{date_creation}, $result->{description}, $result->{state});
+
+    return $object;
+}
+
+
 1;
 			    
 __END__

Modified: branches/vhffs_4.1/vhffs-api/src/Vhffs/User.pm
===================================================================
--- branches/vhffs_4.1/vhffs-api/src/Vhffs/User.pm	2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-api/src/Vhffs/User.pm	2006-12-04 19:53:05 UTC (rev 365)
@@ -79,6 +79,27 @@
     bless( $this , $class );
 }
 
+sub _new {
+    my ($class, $main, $uid, $gid, $oid, $username, $passwd, $homedir, $shell, $admin, $firstname, $lastname, $address, $zipcode, $city, $country, $mail, $gpg_key, $date_creation, $description, $state) = @_;
+    my $self = $class->SUPER::_new($main, $oid, $uid, $date_creation, $description, $state);
+    return undef unless(defined $self);
+    $self->{uid} = $uid;
+    $self->{gid} = $gid;
+    $self->{username} = $username;
+    $self->{passwd} = $passwd;
+    $self->{homedir} = $homedir;
+    $self->{shell} = $shell;
+    $self->{admin} = $admin;
+    $self->{firstname} = $firstname;
+    $self->{lastname} = $lastname;
+    $self->{address} = $address;
+    $self->{zipcode} = $zipcode;
+    $self->{city} = $city;
+    $self->{country} = $country;
+    $self->{mail} = $mail;
+    $self->{gpg_key} = $gpg_key;
+    return $self;
+}
 
 sub exists
 {
@@ -173,7 +194,6 @@
     return 1;    
 }
 
-
 #add a user to a group
 sub add_group
 {
@@ -280,6 +300,7 @@
 }
 
 #create a new user with username and password
+# !!! DEPRECATED !!!
 sub old_create
 {
     my $self;
@@ -688,7 +709,7 @@
 {
     my $self = shift;
     my $value = shift;
-    $self->{'shell'} = quotemeta $value;
+    $self->{'shell'} = $value;
 }
 
 
@@ -696,21 +717,21 @@
 {
     my $self = shift;
     my $value = shift;
-    $self->{'firstname'} = quotemeta $value;
+    $self->{'firstname'} = $value;
 }
 
 sub set_lastname
 {
     my $self = shift;
     my $value = shift;
-    $self->{'lastname'} = quotemeta $value;
+    $self->{'lastname'} = $value;
 }
 
 sub set_city
 {
     my $self = shift;
     my $value = shift;
-    $self->{'city'} = quotemeta $value;
+    $self->{'city'} = $value;
 }
 
 
@@ -726,14 +747,14 @@
 {
     my $self = shift;
     my $value = shift;
-    $self->{'country'} = quotemeta $value;
+    $self->{'country'} = $value;
 }
 
 sub set_address
 {
     my $self = shift;
     my $value = shift;
-    $self->{'address'} = quotemeta $value;
+    $self->{'address'} = $value;
 }
 
 sub set_mail
@@ -924,6 +945,29 @@
 	return $row->[0];
 }
 
+sub get_by_uid {
+    my ($main, $uid) = @_;
+    my $query = 'SELECT u.uid, u.gid, u.object_id, u.username, u.passwd, u.homedir, u.shell, u.admin, ui.firstname, ui.lastname, ui.address, ui.zipcode, ui.city, ui.country, ui.mail, ui.gpg_key, o.date_creation, o.description, o.state FROM vhffs_users u INNER JOIN vhffs_user_info ui ON u.uid = ui.uid INNER JOIN vhffs_object o ON o.object_id = u.object_id WHERE u.uid = ?';
+    my $dbh = $main->get_db_object;
+    my @params = $dbh->selectrow_array($query, undef, $uid);
+    return undef unless(@params);
+    my $user = _new Vhffs::User($main, @params);
+    $user->{group} = Vhffs::Group::get_by_gid($main, $user->get_gid);
+    return $user;
+}
+
+sub get_by_username {
+    my ($main, $username) = @_;
+    my $query = 'SELECT u.uid, u.gid, u.object_id, u.username, u.passwd, u.homedir, u.shell, u.admin, ui.firstname, ui.lastname, ui.address, ui.zipcode, ui.city, ui.country, ui.mail, ui.gpg_key, o.date_creation, o.description, o.state FROM vhffs_users u INNER JOIN vhffs_user_info ui ON u.uid = ui.uid INNER JOIN vhffs_object o ON o.object_id = u.object_id WHERE u.username = ?';
+    my $dbh = $main->get_db_object;
+    my @params = $dbh->selectrow_array($query, undef, $username);
+    return undef unless(@params);
+    my $user = _new Vhffs::User($main, @params);
+    $user->{group} = Vhffs::Group::get_by_gid($main, $user->get_gid);
+    return $user;
+
+}
+
 1;
 
 __END__

Modified: branches/vhffs_4.1/vhffs-backend/conf/vhffs.conf
===================================================================
--- branches/vhffs_4.1/vhffs-backend/conf/vhffs.conf	2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-backend/conf/vhffs.conf	2006-12-04 19:53:05 UTC (rev 365)
@@ -132,7 +132,6 @@
 #the default configuration for users
 <users>
 	minuid	=	10000
-	homedir	=	/home/
 	shell	= 	/usr/bin/tuxshell
 	mingid	=	10000
 	default_quota	=	50
@@ -192,8 +191,8 @@
 				20	=	mx2.hoster.org
 			</mx>
 			<ns>
-				ns1.tf.o 
-				zefz 
+				ns1.hoster.org
+				ns2.hoster.org
 			</ns>
 		</init>
 	</dns>

Modified: branches/vhffs_4.1/vhffs-tests/src/Group.pl
===================================================================
--- branches/vhffs_4.1/vhffs-tests/src/Group.pl	2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-tests/src/Group.pl	2006-12-04 19:53:05 UTC (rev 365)
@@ -36,6 +36,9 @@
 $group2->fetch;
 is_deeply($group2, $group1, 'Fetched group matches created group');
 
+my $group2a = Vhffs::Group::get_by_gid($main, $group2->get_gid);
+is_deeply($group2a, $group2, 'New fashion of fetching group is OK');
+
 ok($group1->is_user_in_group($user1), 'Moderator is in group');
 ok($group2->add_user( $user2 ), 'Other user can be added');
 ok($group1->is_user_in_group($user2), 'Second user addition visible in group1');

Modified: branches/vhffs_4.1/vhffs-tests/src/Object.pl
===================================================================
--- branches/vhffs_4.1/vhffs-tests/src/Object.pl	2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-tests/src/Object.pl	2006-12-04 19:53:05 UTC (rev 365)
@@ -29,6 +29,8 @@
 cmp_ok($obj2->fetch, '>', 0, 'Object fetched');
 
 is_deeply($obj1, $obj2, 'Fetched object matches created object');
+my $obj2b = Vhffs::Object::get_by_id($main, $oid1);
+is_deeply($obj2b, $obj2);
 
 my $history = $obj1->get_history;
 is(scalar(keys %{$history}), 1, 'One history entry');

Modified: branches/vhffs_4.1/vhffs-tests/src/User.pl
===================================================================
--- branches/vhffs_4.1/vhffs-tests/src/User.pl	2006-12-03 22:13:27 UTC (rev 364)
+++ branches/vhffs_4.1/vhffs-tests/src/User.pl	2006-12-04 19:53:05 UTC (rev 365)
@@ -37,7 +37,8 @@
 cmp_ok($user3->get_uid, '==', $uid1, 'Fetched UID matches');
 
 is_deeply($user3, $user1, 'Fetched user is a copy of original');
-cmp_ok($user3->get_username, 'eq', 'test1', 'Fetched username matches');
+my $user3a = Vhffs::User::get_by_uid($main, $uid1);
+is_deeply($user3a, $user3, 'New fashion of fetching users');
 $user3->set_admin(1);
 cmp_ok($user3->commit, '>', 0, 'Third user\'s modifications committed');
 


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/