The branch, build-main has been updated via 4c3484419eb32f645709352a52523df57c0e813f (commit) from 17f0a8f6d633ba495a2f22f9fbe0d99ceff212a4 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 4c3484419eb32f645709352a52523df57c0e813f Author: Alexander Wuerstlein <arw@arw.name> Date: Tue Feb 15 14:08:02 2011 +0100 Use prepared statements, fix sql injections ----------------------------------------------------------------------- Summary of changes: x2gosqlitewrapper | 58 ++++++++++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 29 deletions(-) The diff of changes is: diff --git a/x2gosqlitewrapper b/x2gosqlitewrapper index b6a7156..55b8e43 100755 --- a/x2gosqlitewrapper +++ b/x2gosqlitewrapper @@ -24,8 +24,8 @@ if($cmd eq "rmsessionsroot") { checkroot(); my $sid=shift or die "argument \"session_id\" missed"; - my $sth=$dbh->prepare("delete from sessions where session_id='$sid'"); - $sth->execute()or die; + my $sth=$dbh->prepare("delete from sessions where session_id=?"); + $sth->execute($id)or die; $sth->finish(); } @@ -40,8 +40,8 @@ elsif($cmd eq "listsessionsroot") substr(strftime('%d.%m.%Y*%H:%M:%S',last_time),0,6)||substr(strftime('%d.%m.%Y*%H:%M:%S',last_time),9,11), uname, strftime('%s','now','localtime') - strftime('%s',init_time),fs_port from sessions - where server='$server' order by status desc"); - $sth->execute() or die; + where server=? order by status desc"); + $sth->execute($server) or die; fetchrow_printall_array($sth); } @@ -64,8 +64,8 @@ elsif($cmd eq "getmounts") { my $sid=shift or die "argument \"session_id\" missed"; my @strings; - my $sth=$dbh->prepare("select client, path from mounts where session_id='$sid'"); - $sth->execute()or die; + my $sth=$dbh->prepare("select client, path from mounts where session_id=?"); + $sth->execute($sid)or die; fetchrow_printall_array($sth); } @@ -73,8 +73,8 @@ elsif($cmd eq "deletemount") { my $sid=shift or die "argument \"session_id\" missed"; my $path=shift or die "argument \"path\" missed"; - my $sth=$dbh->prepare("delete from mounts where session_id='$sid' and path='$path'"); - $sth->execute(); + my $sth=$dbh->prepare("delete from mounts where session_id=? and path=?"); + $sth->execute($sid, $path); $sth->finish(); } @@ -83,8 +83,8 @@ elsif($cmd eq "insertmount") my $sid=shift or die "argument \"session_id\" missed"; my $path=shift or die "argument \"path\" missed"; my $client=shift or die "argument \"client\" missed"; - my $sth=$dbh->prepare("insert into mounts (session_id,path,client) values ('$sid','$path','$client')"); - $sth->execute(); + my $sth=$dbh->prepare("insert into mounts (session_id,path,client) values (?, ?, ?)"); + $sth->execute($sid, $path, $client); if(!$sth->err()) { print "ok"; @@ -98,8 +98,8 @@ elsif($cmd eq "insertsession") my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id, init_time, last_time) values - ('$display','$server','$realuser','$sid', datetime('now','localtime'), datetime('now','localtime'))"); - $sth->execute()or die $_; + (?, ?, ?, ?, datetime('now','localtime'), datetime('now','localtime'))"); + $sth->execute($display, $server, $realuser, $sid) or die $_; $sth->finish(); print "ok"; } @@ -113,9 +113,9 @@ elsif($cmd eq "createsession") my $snd_port=shift or die"argument \"snd_port\" missed"; my $fs_port=shift or die"argument \"fs_port\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - my $sth=$dbh->prepare("update sessions set status='R',last_time=datetime('now','localtime'),cookie='$cookie',agent_pid='$pid', - client='$client',gr_port='$gr_port',sound_port='$snd_port',fs_port='$fs_port' where session_id='$sid' and uname='$realuser'"); - $sth->execute()or die; + my $sth=$dbh->prepare("update sessions set status='R',last_time=datetime('now','localtime'),cookie=?,agent_pid=?, + client=?,gr_port=?,sound_port=?,fs_port=? where session_id=? and uname=?"); + $sth->execute($cookie, $pid, $client, $gr_port, $snd_port, $fs_port, $sid, $realuid)or die; $sth->finish(); print "ok"; } @@ -125,8 +125,8 @@ elsif($cmd eq "insertport") my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; my $sshport=shift or die "argument \"port\" missed"; - my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values ('$server','$sid','$sshport')"); - $sth->execute()or die; + my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values (?, ?, ?)"); + $sth->execute($server, $sid, $sshport) or die; $sth->finish(); } @@ -135,8 +135,8 @@ elsif($cmd eq "resume") my $client=shift or die "argument \"client\" missed"; my $sid=shift or die "argument \"session_id\" missed"; my $sth=$dbh->prepare("update sessions set last_time=datetime('now','localtime'),status='R', - client='$client' where session_id = '$sid' and uname='$realuser'"); - $sth->execute()or die; + client=? where session_id = ? and uname=?"); + $sth->execute($client, $sid, $realuser) or die; $sth->finish(); } @@ -145,8 +145,8 @@ elsif($cmd eq "changestatus") my $status=shift or die "argument \"status\" missed"; my $sid=shift or die "argument \"session_id\" missed"; my $sth=$dbh->prepare("update sessions set last_time=datetime('now','localtime'), - status='$status' where session_id = '$sid' and uname='$realuser'"); - $sth->execute()or die; + status=? where session_id = ? and uname=?"); + $sth->execute($status, $sid, $realuser)or die; $sth->finish(); } @@ -205,8 +205,8 @@ elsif($cmd eq "getagent") my $sid=shift or die "argument \"session_id\" missed"; my $agent; my $sth=$dbh->prepare("select agent_pid from sessions - where session_id ='$sid'"); - $sth->execute()or die; + where session_id=?"); + $sth->execute($sid)or die; my @data; my $i=0; if(@data = $sth->fetchrow_array) @@ -222,8 +222,8 @@ elsif($cmd eq "getdisplay") my $sid=shift or die "argument \"session_id\" missed"; my $display; my $sth=$dbh->prepare("select display from sessions - where session_id ='$sid'"); - $sth->execute()or die; + where session_id =?"); + $sth->execute($sid)or die; my @data; my $i=0; if(@data = $sth->fetchrow_array) @@ -244,9 +244,9 @@ elsif($cmd eq "listsessions") substr(strftime('%d.%m.%Y*%H:%M:%S',last_time),0,6)||substr(strftime('%d.%m.%Y*%H:%M:%S',last_time),9,11), uname, strftime('%s','now','localtime') - strftime('%s',init_time),fs_port from sessions - where status !='F' and server='$server' and uname='$realuser' + where status !='F' and server=? and uname=? and ( session_id not like '%XSHAD%') order by status desc"); - $sth->execute()or die; + $sth->execute($server, $realuser)or die; fetchrow_printall_array($sth); } @@ -259,8 +259,8 @@ elsif($cmd eq "listsessions_all") substr(strftime('%d.%m.%Y*%H:%M:%S',last_time),0,6)||substr(strftime('%d.%m.%Y*%H:%M:%S',last_time),9,11), uname, strftime('%s','now','localtime') - strftime('%s',init_time),fs_port from sessions - where status !='F' and uname='$realuser' and ( session_id not like '%XSHAD%') order by status desc"); - $sth->execute()or die; + where status !='F' and uname=? and ( session_id not like '%XSHAD%') order by status desc"); + $sth->execute($realuser)or die; fetchrow_printall_array($sth); } else hooks/post-receive -- x2goserver.git (X2Go Server) This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "x2goserver.git" (X2Go Server).