[X2Go-Commits] [x2goserver] 01/01: Improve sanitizer, use 'x2gosid' sanitizer for session IDs everywhere. Drop unused 'pnixusername' sanitizer in 4.0.1.x release of X2Go Server.

git-admin at x2go.org git-admin at x2go.org
Mon Dec 8 12:24:49 CET 2014


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch release/4.0.1.x
in repository x2goserver.

commit 17d0210ae48d25a127373dbe9c3fd9d6aa235f06
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Mon Dec 8 12:23:21 2014 +0100

    Improve sanitizer, use 'x2gosid' sanitizer for session IDs everywhere. Drop unused 'pnixusername' sanitizer in 4.0.1.x release of X2Go Server.
---
 debian/changelog                    |    2 ++
 x2goserver/lib/x2godbwrapper.pm     |   24 +++++++++++-----------
 x2goserver/lib/x2gosqlitewrapper.pl |   38 +++++++++++++++++++----------------
 x2goserver/lib/x2goutils.pm         |    6 ------
 4 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 84cdd56..9b8fcba 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -52,6 +52,8 @@ x2goserver (4.0.1.19-0x2go1) UNRELEASED; urgency=medium
       server-side log output.
     - Handle AD domain users gracefully when X2Go is used with SQLite DB
       backend. (Fixes: #664).
+    - Improve sanitizer, use 'x2gosid' sanitizer for session IDs everywhere.
+      Drop unused 'pnixusername' sanitizer in 4.0.1.x release of X2Go Server.
   * debian/control:
     + Add D (x2goserver): libfile-which-perl.
     + Add C (x2goserver: x2godesktopsharing (<< 3.1.1.2).
diff --git a/x2goserver/lib/x2godbwrapper.pm b/x2goserver/lib/x2godbwrapper.pm
index 7c79a5d..03e4b9b 100644
--- a/x2goserver/lib/x2godbwrapper.pm
+++ b/x2goserver/lib/x2godbwrapper.pm
@@ -193,7 +193,7 @@ sub dbsys_getmounts
 	my $sid=shift or die "argument \"session_id\" missed";
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		my @strings;
 		my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 		my $sth=$dbh->prepare("select client, path from mounts where session_id='$sid'");
@@ -223,7 +223,7 @@ sub db_getmounts
 	my $sid=shift or die "argument \"session_id\" missed";
 	if($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		my @strings;
 		my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 		my $sth=$dbh->prepare("select client, path from mounts_view where session_id='$sid'");
@@ -253,7 +253,7 @@ sub db_deletemount
 	my $path=shift or die "argument \"path\" missed";
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 		my $sth=$dbh->prepare("delete from mounts_view where session_id='$sid' and path='$path'");
 		$sth->execute();
@@ -275,7 +275,7 @@ sub db_insertmount
 	my $res_ok=0;
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 		my $sth=$dbh->prepare("insert into mounts (session_id,path,client) values  ('$sid','$path','$client')");
 		$sth->execute();
@@ -304,7 +304,7 @@ sub db_insertsession
 	my $sid=shift or die "argument \"session_id\" missed";
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		$display = x2goutils::sanitizer('num', $display) or die "argument \"display\" malformed";
 		my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 		my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id) values ('$display','$server','$uname','$sid')");
@@ -334,7 +334,7 @@ sub db_createsession
 	my $sid=shift or die "argument \"session_id\" missed";
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		$pid = x2goutils::sanitizer('num', $pid) or die "argument \"pid\" malformed";
 		$gr_port = x2goutils::sanitizer('num', $gr_port) or die "argument \"gr_port\" malformed";
 		$snd_port = x2goutils::sanitizer('num', $snd_port) or die "argument \"snd_port\" malformed";
@@ -365,7 +365,7 @@ sub db_insertport
 	my $sshport=shift or die "argument \"port\" missed";
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 		my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values  ('$server','$sid','$sshport')");
 		$sth->execute()or die;
@@ -408,7 +408,7 @@ sub db_resume
 	my $fs_port=shift or die "argument \"fs_port\" missed";
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		$gr_port = x2goutils::sanitizer('num', $gr_port) or die "argument \"gr_port\" malformed";
 		$snd_port = x2goutils::sanitizer('num', $snd_port) or die "argument \"snd_port\" malformed";
 		$fs_port = x2goutils::sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed";
@@ -432,7 +432,7 @@ sub db_changestatus
 	my $sid=shift or die "argument \"session_id\" missed";
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 		my $sth=$dbh->prepare("update sessions_view set last_time=now(),status='$status' where session_id = '$sid'");
 		$sth->execute()or die;
@@ -452,7 +452,7 @@ sub db_getstatus
 	my $status='';
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 		my $sth=$dbh->prepare("select status from sessions_view where session_id = '$sid'");
 		$sth->execute($sid) or die;
@@ -566,7 +566,7 @@ sub db_getagent
 	my $sid=shift or die "argument \"session_id\" missed";
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 		my $sth=$dbh->prepare("select agent_pid from sessions_view
 		                      where session_id ='$sid'");
@@ -594,7 +594,7 @@ sub db_getdisplay
 	my $sid=shift or die "argument \"session_id\" missed";
 	if ($backend eq 'postgres')
 	{
-		$sid = x2goutils::sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+		$sid = x2goutils::sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 		my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 		my $sth=$dbh->prepare("select display from sessions_view
 		                      where session_id ='$sid'");
diff --git a/x2goserver/lib/x2gosqlitewrapper.pl b/x2goserver/lib/x2gosqlitewrapper.pl
index 8a02f98..c51b7f7 100755
--- a/x2goserver/lib/x2gosqlitewrapper.pl
+++ b/x2goserver/lib/x2gosqlitewrapper.pl
@@ -60,11 +60,15 @@ sub sanitizer {
 			$string = $1;
 			return $string;
 		} else {return 0;}
-	} elsif ($type eq "pnixusername") {
-		$string =~ s/[^a-zA-Z0-9\_\-\.]//g;
-		if ($string =~ /^([a-zA-Z0-9\_\-\.]*)$/) {
+	} elsif ($type eq "x2gosid") {
+		$string =~ s/[^a-zA-Z0-9\_\-\$\.\@]//g;
+		if ($string =~ /^([a-zA-Z0-9\_\-\$\.\@]*)$/) {
 			$string = $1;
-			return $string;
+			if ($string =~ /^([a-zA-Z\_][a-zA-Z0-9\_\-\.\@]{0,31}[\$]?)\-([\d]{2,4})\-([\d]{9,12})\_[a-zA-Z0-9\_\-\.]*\_dp[\d]{1,2}$/) {
+				if ((length($1) > 0) and (length($1) < 48)){
+					return $string;
+				} else {return 0;}
+			} else {return 0;}
 		} else {return 0;}
 	} elsif ($type eq "SOMETHINGELSE") {
 		return 0;
@@ -149,7 +153,7 @@ elsif($cmd eq  "listsessionsroot_all")
 elsif($cmd eq  "getmounts")
 {
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my @strings;
 	my $sth=$dbh->prepare("select client, path from mounts where session_id=?");
@@ -165,7 +169,7 @@ elsif($cmd eq  "getmounts")
 elsif($cmd eq  "deletemount")
 {
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $path=shift or die "argument \"path\" missed";
 	check_user($sid);
 	my $sth=$dbh->prepare("delete from mounts where session_id=? and path=?");
@@ -181,7 +185,7 @@ elsif($cmd eq  "deletemount")
 elsif($cmd eq  "deletemounts")
 {
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my $sth=$dbh->prepare("delete from mounts where session_id=?");
 	$sth->execute($sid);
@@ -196,7 +200,7 @@ elsif($cmd eq  "deletemounts")
 elsif($cmd eq  "insertmount")
 {
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $path=shift or die "argument \"path\" missed";
 	my $client=shift or die "argument \"client\" missed";
 	check_user($sid);
@@ -217,7 +221,7 @@ elsif($cmd eq  "insertsession")
 	$display = sanitizer('num', $display) or die "argument \"display\" malformed";
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id, init_time, last_time) values
 	                       (?, ?, ?, ?, datetime('now','localtime'), datetime('now','localtime'))");
@@ -239,7 +243,7 @@ elsif($cmd eq  "createsession")
 	my $fs_port=shift or die"argument \"fs_port\" missed";
 	$fs_port = sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my $sth=$dbh->prepare("update sessions set status='R',last_time=datetime('now','localtime'),cookie=?,agent_pid=?,
 	                       client=?,gr_port=?,sound_port=?,fs_port=? where session_id=? and uname=?");
@@ -257,7 +261,7 @@ elsif($cmd eq  "insertport")
 {
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $sshport=shift or die "argument \"port\" missed";
 	my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values  (?, ?, ?)");
 	check_user($sid);
@@ -274,7 +278,7 @@ elsif($cmd eq  "rmport")
 {
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $sshport=shift or die "argument \"port\" missed";
 	my $sth=$dbh->prepare("delete from used_ports where server=? and session_id=? and port=?");
 	check_user($sid);
@@ -290,7 +294,7 @@ elsif($cmd eq  "resume")
 {
 	my $client=shift or die "argument \"client\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $gr_port=shift or die "argument \"gr_port\" missed";
 	$gr_port = sanitizer('num', $gr_port) or die "argument \"gr_port\" malformed";
 	my $snd_port=shift or die "argument \"snd_port\" missed";
@@ -313,7 +317,7 @@ elsif($cmd eq  "changestatus")
 {
 	my $status=shift or die "argument \"status\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my $sth=$dbh->prepare("update sessions set last_time=datetime('now','localtime'),
 	                       status=? where session_id = ? and uname=?");
@@ -329,7 +333,7 @@ elsif($cmd eq  "changestatus")
 elsif($cmd eq  "getstatus")
 {
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my $sth=$dbh->prepare("select status from sessions where session_id = ?");
 	$sth->execute($sid);
@@ -415,7 +419,7 @@ elsif($cmd eq  "getservers")
 elsif($cmd eq  "getagent")
 {
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $agent;
 	check_user($sid);
 	my $sth=$dbh->prepare("select agent_pid from sessions
@@ -439,7 +443,7 @@ elsif($cmd eq  "getagent")
 elsif($cmd eq  "getdisplay")
 {
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $display;
 	check_user($sid);
 	my $sth=$dbh->prepare("select display from sessions
diff --git a/x2goserver/lib/x2goutils.pm b/x2goserver/lib/x2goutils.pm
index a7eb265..0982df2 100644
--- a/x2goserver/lib/x2goutils.pm
+++ b/x2goserver/lib/x2goutils.pm
@@ -39,12 +39,6 @@ sub sanitizer {
 			$string = $1;
 			return $string;
 		} else {return 0;}
-	} elsif ($type eq "pnixusername") {
-		$string =~ s/[^a-zA-Z0-9\_\-\.]//g;
-		if ($string =~ /^([a-zA-Z0-9\_\-\.]*)$/) {
-			$string = $1;
-			return $string;
-		} else {return 0;}
 	} elsif ($type eq "x2gosid") {
 		$string =~ s/[^a-zA-Z0-9\_\-\$\.\@]//g;
 		if ($string =~ /^([a-zA-Z0-9\_\-\$\.\@]*)$/) {

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goserver.git


More information about the x2go-commits mailing list