[vhffs-dev] [1225] Prevent SQL injections

[ Thread Index | Date Index | More vhffs.org/vhffs-dev Archives ]


Revision: 1225
Author:   gradator
Date:     2008-06-18 15:08:24 +0200 (Wed, 18 Jun 2008)

Log Message:
-----------
Prevent SQL injections

Modified Paths:
--------------
    trunk/vhffs-doc/config/exim4-mx1/exim4.conf
    trunk/vhffs-doc/config/exim4-mx2/exim4.conf


Modified: trunk/vhffs-doc/config/exim4-mx1/exim4.conf
===================================================================
--- trunk/vhffs-doc/config/exim4-mx1/exim4.conf	2008-06-13 15:53:34 UTC (rev 1224)
+++ trunk/vhffs-doc/config/exim4-mx1/exim4.conf	2008-06-18 13:08:24 UTC (rev 1225)
@@ -1,17 +1,17 @@
 hide pgsql_servers = PGHOST/PGDB/PGUSER/PGPASS
 MAIL_HOME=/data/mail/boxes
-PGSQL_LOCAL_DOMAINS = ${lookup pgsql{SELECT domain FROM vhffs_mxdomain WHERE domain = '$domain'}}
-PGSQL_VIRTUAL_LOCAL_DOMAINS = ${lookup pgsql{select vhffs_boxes.domain from vhffs_boxes, vhffs_mxdomain where local_part = '$local_part' and vhffs_boxes.domain = vhffs_mxdomain.domain and vhffs_mxdomain.domain = '$domain' and vhffs_boxes.state = 6}}
-PGSQL_VIRTUAL_LOCAL_DIR = MAIL_HOME/${lookup pgsql{select boxes_path from vhffs_mxdomain where domain = '$domain'}{$value}fail}/${lookup pgsql{select mbox_name from vhffs_boxes where domain = '$domain' and local_part = '$local_part'}{$value}fail}/Maildir
-PGSQL_VIRTUAL_FORWARD_DATA = ${lookup pgsql{select remote_name from vhffs_forward, vhffs_mxdomain where local_part = '$local_part' and vhffs_forward.domain = vhffs_mxdomain.domain and vhffs_mxdomain.domain = '$domain'}}
-PGSQL_ML_EXIST = ${lookup pgsql{select domain from vhffs_ml where local_part='$local_part' and domain='$domain'}}
-PGSQL_VIRTUAL_CATCHALL = ${lookup pgsql{select catchall from vhffs_mxdomain where domain = '$domain' and catchall != ''}}
-#PGSQL_GET_TX_USER = ${lookup pgsql{select vhffs_user_info.mail from vhffs_user_info, vhffs_users where vhffs_users.uid=vhffs_user_info.uid and vhffs_users.username='$local_part' and 'vhffs.org'='$domain'}}
-#PGSQL_VIRTUAL_LOCAL_QUOTA = ${lookup pgsql{select quota from popbox where local_part = "$local_part" and domaine = "$domain"}}
-#PGSQL_VIRTUAL_LOCAL_QFILE = ${lookup pgsql{select quota_f from popbox where local_part = "$local_part" and domain = "$domain"}}
-#PGSQL_VIRTUAL_LOCAL_Q_WARN = ${lookup pgsql{select quota_warn from popbox where local_part = "$local_part" and domain = "$domain"}}
-#PGSQL_VIRTUAL_LOCAL_UP_QUOTA = ${lookup pgsql{update popbox set quota_f_used = "$quota_total_fcount", quota_used = "$quota_total_used" where local_part = "$local_part" and domain_name = "$domain"}}
-#PGSQL_VIRTUAL_SPAMCHECK = ${lookup pgsql{select domain_name from mxdomain where mxdomain.domain_name = "$domain" and scan = "1"}}
+PGSQL_LOCAL_DOMAINS = ${lookup pgsql{SELECT domain FROM vhffs_mxdomain WHERE domain = '${quote_pgsql:$domain}'}}
+PGSQL_VIRTUAL_LOCAL_DOMAINS = ${lookup pgsql{select vhffs_boxes.domain from vhffs_boxes, vhffs_mxdomain where local_part = '${quote_pgsql:$local_part}' and vhffs_boxes.domain = vhffs_mxdomain.domain and vhffs_mxdomain.domain = '${quote_pgsql:$domain}' and vhffs_boxes.state = 6}}
+PGSQL_VIRTUAL_LOCAL_DIR = MAIL_HOME/${lookup pgsql{select boxes_path from vhffs_mxdomain where domain = '${quote_pgsql:$domain}'}{$value}fail}/${lookup pgsql{select mbox_name from vhffs_boxes where domain = '${quote_pgsql:$domain}' and local_part = '${quote_pgsql:$local_part}'}{$value}fail}/Maildir
+PGSQL_VIRTUAL_FORWARD_DATA = ${lookup pgsql{select remote_name from vhffs_forward, vhffs_mxdomain where local_part = '${quote_pgsql:$local_part}' and vhffs_forward.domain = vhffs_mxdomain.domain and vhffs_mxdomain.domain = '${quote_pgsql:$domain}'}}
+PGSQL_ML_EXIST = ${lookup pgsql{select domain from vhffs_ml where local_part='${quote_pgsql:$local_part}' and domain='${quote_pgsql:$domain}'}}
+PGSQL_VIRTUAL_CATCHALL = ${lookup pgsql{select catchall from vhffs_mxdomain where domain = '${quote_pgsql:$domain}' and catchall != ''}}
+#PGSQL_GET_TX_USER = ${lookup pgsql{select vhffs_user_info.mail from vhffs_user_info, vhffs_users where vhffs_users.uid=vhffs_user_info.uid and vhffs_users.username='${quote_pgsql:$local_part}' and 'vhffs.org'='${quote_pgsql:$domain}'}}
+#PGSQL_VIRTUAL_LOCAL_QUOTA = ${lookup pgsql{select quota from popbox where local_part = '${quote_pgsql:$local_part}' and domaine = '${quote_pgsql:$domain}'}}
+#PGSQL_VIRTUAL_LOCAL_QFILE = ${lookup pgsql{select quota_f from popbox where local_part = '${quote_pgsql:$local_part}' and domain = '${quote_pgsql:$domain}'}}
+#PGSQL_VIRTUAL_LOCAL_Q_WARN = ${lookup pgsql{select quota_warn from popbox where local_part = '${quote_pgsql:$local_part}' and domain = '${quote_pgsql:$domain}'}}
+#PGSQL_VIRTUAL_LOCAL_UP_QUOTA = ${lookup pgsql{update popbox set quota_f_used = '${quote_pgsql:$quota_total_fcount}', quota_used = '${quote_pgsql:$quota_total_used}' where local_part = '${quote_pgsql:$local_part}' and domain_name = '${quote_pgsql:$domain}'}}
+#PGSQL_VIRTUAL_SPAMCHECK = ${lookup pgsql{select domain_name from mxdomain where mxdomain.domain_name = '${quote_pgsql:$domain}' and scan = 1}}
 
 LISTENGINE_HOME=/usr/lib/vhffs/listengine/
 LISTENGINE_QUEUE=LISTENGINE_HOME/listengine.pl

Modified: trunk/vhffs-doc/config/exim4-mx2/exim4.conf
===================================================================
--- trunk/vhffs-doc/config/exim4-mx2/exim4.conf	2008-06-13 15:53:34 UTC (rev 1224)
+++ trunk/vhffs-doc/config/exim4-mx2/exim4.conf	2008-06-18 13:08:24 UTC (rev 1225)
@@ -1,9 +1,9 @@
 hide pgsql_servers = PGHOST/PGDB/PGUSER/PGPASS
-PGSQL_RELAY_DOMAIN = ${lookup pgsql{SELECT domain FROM vhffs_mxdomain WHERE domain = '$domain'}}
+PGSQL_RELAY_DOMAIN = ${lookup pgsql{SELECT domain FROM vhffs_mxdomain WHERE domain = '${quote_pgsql:$domain}'}}
 # Use this query if your MX2 directly uses VHFFS database
-PGSQL_RELAY_CHECKLOCALPART = ${lookup pgsql{SELECT d.domain FROM vhffs_mxdomain d WHERE d.domain = '$domain' AND (d.catchall != '' OR EXISTS (SELECT domain FROM vhffs_boxes WHERE domain = '$domain' AND local_part = '$local_part' AND state = 6) OR EXISTS (SELECT domain FROM vhffs_forward WHERE domain = '$domain' AND local_part = '$local_part') OR EXISTS (SELECT domain FROM vhffs_ml WHERE domain = '$domain' AND (local_part = '$local_part' OR local_part || '-request' = '$local_part')))}}
+PGSQL_RELAY_CHECKLOCALPART = ${lookup pgsql{SELECT d.domain FROM vhffs_mxdomain d WHERE d.domain = '${quote_pgsql:$domain}' AND (d.catchall != '' OR EXISTS (SELECT domain FROM vhffs_boxes WHERE domain = '${quote_pgsql:$domain}' AND local_part = '${quote_pgsql:$local_part}' AND state = 6) OR EXISTS (SELECT domain FROM vhffs_forward WHERE domain = '${quote_pgsql:$domain}' AND local_part = '${quote_pgsql:$local_part}') OR EXISTS (SELECT domain FROM vhffs_ml WHERE domain = '${quote_pgsql:$domain}' AND (local_part = '${quote_pgsql:$local_part}' OR local_part || '-request' = '${quote_pgsql:$local_part}')))}}
 # Use this query if your MX has a mirrored VHFFS db (using mirror-mx2.pl)
-# PGSQL_RELAY_CHECKLOCALPART = ${lookup pgsql{SELECT d.domain FROM vhffs_mxdomain d WHERE d.domain = '$domain' AND (d.catchall != '' OR EXISTS (SELECT domain FROM vhffs_addresses WHERE domain = '$domain' AND local_part = '$local_part'))}}
+# PGSQL_RELAY_CHECKLOCALPART = ${lookup pgsql{SELECT d.domain FROM vhffs_mxdomain d WHERE d.domain = '${quote_pgsql:$domain}' AND (d.catchall != '' OR EXISTS (SELECT domain FROM vhffs_addresses WHERE domain = '${quote_pgsql:$domain}' AND local_part = '${quote_pgsql:$local_part}'))}}
 
 exim_path = /usr/sbin/exim4
 


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/