[X2Go-Commits] [x2goserver] 01/01: Provide string sanitizers. Esp. a sanitizer for X2Go session IDs.

15 Apr 2014

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch master
in repository x2goserver.

commit 4f5cfb8b619f2d3f3c3c7edbfb7448d32a15246a
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Tue Apr 15 15:55:02 2014 +0200

    Provide string sanitizers. Esp. a sanitizer for X2Go session IDs.
---
 X2Go/Server/DB/PostgreSQL.pm |   28 ++++++++++++++--------------
 X2Go/Server/DB/SQLite3.pm    |   28 ++++++++++++++--------------
 X2Go/Utils.pm                |   16 ++++++++++++++--
 debian/changelog             |    1 +
 4 files changed, 43 insertions(+), 30 deletions(-)

diff --git a/X2Go/Server/DB/PostgreSQL.pm b/X2Go/Server/DB/PostgreSQL.pm
index 77a593e..8e0657a 100644
--- a/X2Go/Server/DB/PostgreSQL.pm
+++ b/X2Go/Server/DB/PostgreSQL.pm
@@ -179,7 +179,7 @@ sub dbsys_getmounts
 {
 	init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my @mounts;
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("select client, path from mounts where session_id='$sid'");
@@ -199,7 +199,7 @@ sub db_getmounts
 {
 	init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my @mounts;
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("select client, path from mounts_view where session_id='$sid'");
@@ -219,7 +219,7 @@ sub db_deletemount
 {
 	init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $path=shift or die "argument \"path\" missed";
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("delete from mounts_view where session_id='$sid' and path='$path'");
@@ -232,7 +232,7 @@ sub db_insertmount
 {
 	init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $path=shift or die "argument \"path\" missed";
 	my $client=shift or die "argument \"client\" missed";
 	my $res_ok=0;
@@ -255,7 +255,7 @@ sub db_insertsession
 	$display = sanitizer('num', $display) or die "argument \"display\" malformed";
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id) values ('$display','$server','$uname','$sid')");
 	$sth->execute()or die $_;
@@ -270,7 +270,7 @@ sub db_insertshadowsession
 	$display = sanitizer('num', $display) or die "argument \"display\" malformed";
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $shadreq_user=shift or die "argument \"shadreq_user\" missed";
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id) values ('$display','$server','$shadreq_user','$sid')");
@@ -293,7 +293,7 @@ sub db_createsession
 	my $fs_port=shift or die"argument \"fs_port\" missed";
 	$fs_port = sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("update sessions_view set status='R',last_time=now(),
 	                      cookie='$cookie',agent_pid='$pid',client='$client',gr_port='$gr_port',
@@ -308,7 +308,7 @@ sub db_insertport
 	init_db();
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $sshport=shift or die "argument \"port\" missed";
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values  ('$server','$sid','$sshport')");
@@ -322,7 +322,7 @@ sub db_rmport
 	init_db();
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $sshport=shift or die "argument \"port\" missed";
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("delete from used_ports where server='$server' and session_id='$sid' and port='$sshport'");
@@ -336,7 +336,7 @@ sub db_resume
 	init_db();
 	my $client=shift or die "argument \"client\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $gr_port=shift or die "argument \"gr_port\" missed";
 	$gr_port = sanitizer('num', $gr_port) or die "argument \"gr_port\" malformed";
 	my $snd_port=shift or die "argument \"sound_port\" missed";
@@ -356,7 +356,7 @@ sub db_changestatus
 	init_db();
 	my $status=shift or die "argument \"status\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("update sessions_view set last_time=now(),status='$status' where session_id = '$sid'");
 	$sth->execute()or die;
@@ -368,7 +368,7 @@ sub db_getstatus
 {
 	init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $status='';
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("select status from sessions_view where session_id = '$sid'");
@@ -446,7 +446,7 @@ sub db_getagent
 	init_db();
 	my $agent;
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("select agent_pid from sessions_view
 	                      where session_id ='$sid'");
@@ -467,7 +467,7 @@ sub db_getdisplay
 	init_db();
 	my $display;
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
 	my $sth=$dbh->prepare("select display from sessions_view
 	                      where session_id ='$sid'");
diff --git a/X2Go/Server/DB/SQLite3.pm b/X2Go/Server/DB/SQLite3.pm
index c3737ad..9acecde 100644
--- a/X2Go/Server/DB/SQLite3.pm
+++ b/X2Go/Server/DB/SQLite3.pm
@@ -152,7 +152,7 @@ sub db_getmounts
 {
 	my $dbh = init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my @strings;
 	my $sth=$dbh->prepare("select client, path from mounts where session_id=?");
@@ -172,7 +172,7 @@ sub db_deletemount
 {
 	my $dbh = init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $path=shift or die "argument \"path\" missed";
 	check_user($sid);
 	my $sth=$dbh->prepare("delete from mounts where session_id=? and path=?");
@@ -190,7 +190,7 @@ sub db_insertmount
 {
 	my $dbh = init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $path=shift or die "argument \"path\" missed";
 	my $client=shift or die "argument \"client\" missed";
 	check_user($sid);
@@ -215,7 +215,7 @@ sub db_insertsession
 	$display = sanitizer('num', $display) or die "argument \"display\" malformed";
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id, init_time, last_time) values
 	                       (?, ?, ?, ?, datetime('now','localtime'), datetime('now','localtime'))");
@@ -232,7 +232,7 @@ sub db_insertshadowsession
 	$display = sanitizer('num', $display) or die "argument \"display\" malformed";
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $shadreq_user = shift or die "argument \"shadreq_user\" missed";
 	my $fake_sid = $sid;
 	$fake_sid =~ s/$shadreq_user-/$realuser-/;
@@ -259,7 +259,7 @@ sub db_createsession
 	my $fs_port=shift or die"argument \"fs_port\" missed";
 	$fs_port = sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my $sth=$dbh->prepare("update sessions set status='R',last_time=datetime('now','localtime'),cookie=?,agent_pid=?,
 	                       client=?,gr_port=?,sound_port=?,fs_port=? where session_id=? and uname=?");
@@ -288,7 +288,7 @@ sub db_createshadowsession
 	my $fs_port=shift or die"argument \"fs_port\" missed";
 	$fs_port = sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $shadreq_user = shift or die "argument \"shadreq_user\" missed";
 	my $fake_sid = $sid;
 	$fake_sid =~ s/^$shadreq_user-/$realuser-/;
@@ -311,7 +311,7 @@ sub db_insertport
 	my $dbh = init_db();
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $sshport=shift or die "argument \"port\" missed";
 	my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values  (?, ?, ?)");
 	check_user($sid);
@@ -330,7 +330,7 @@ sub db_rmport
 	my $dbh = init_db();
 	my $server=shift or die "argument \"server\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $sshport=shift or die "argument \"port\" missed";
 	my $sth=$dbh->prepare("delete from used_ports where server=? and session_id=? and port=?");
 	check_user($sid);
@@ -348,7 +348,7 @@ sub db_resume
 	my $dbh = init_db();
 	my $client=shift or die "argument \"client\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $gr_port=shift or die "argument \"gr_port\" missed";
 	$gr_port = sanitizer('num', $gr_port) or die "argument \"gr_port\" malformed";
 	my $snd_port=shift or die "argument \"snd_port\" missed";
@@ -373,7 +373,7 @@ sub db_changestatus
 	my $dbh = init_db();
 	my $status=shift or die "argument \"status\" missed";
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my $sth=$dbh->prepare("update sessions set last_time=datetime('now','localtime'),
 	                       status=? where session_id = ? and uname=?");
@@ -391,7 +391,7 @@ sub db_getstatus
 {
 	my $dbh = init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	check_user($sid);
 	my $sth=$dbh->prepare("select status from sessions where session_id = ?");
 	$sth->execute($sid);
@@ -484,7 +484,7 @@ sub db_getagent
 {
 	my $dbh = init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $agent;
 	check_user($sid);
 	my $sth=$dbh->prepare("select agent_pid from sessions
@@ -510,7 +510,7 @@ sub db_getdisplay
 {
 	my $dbh = init_db();
 	my $sid=shift or die "argument \"session_id\" missed";
-	$sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+	$sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
 	my $display;
 	check_user($sid);
 	my $sth=$dbh->prepare("select display from sessions
diff --git a/X2Go/Utils.pm b/X2Go/Utils.pm
index 7f647cc..8936a27 100644
--- a/X2Go/Utils.pm
+++ b/X2Go/Utils.pm
@@ -114,9 +114,21 @@ sub sanitizer {
 		} else {return 0;} 
 	} elsif ($type eq "pnixusername") {
 		$string =~ s/[^a-zA-Z0-9\_\-\.]//g;
-		if ($string =~ /^([a-zA-Z0-9\_\-\.]*)$/) {
+		if ($string =~ /^([a-zA-Z\_][a-zA-Z0-9\_\-\.]{0,31}[\$]?)$/) {
 			$string = $1;
-			return $string;
+			if ((length($1) > 0) and (length($1) < 32)){
+				return $string;
+			} else {return 0;}
+		} else {return 0;}
+	} elsif ($type eq "x2gosid") {
+		$string =~ s/[^a-zA-Z0-9\_\-\$\.]//g;
+		if ($string =~ /^([a-zA-Z0-9\_\-\$\.]*)$/) {
+			$string = $1;
+			if ($string =~ /^([a-zA-Z\_][a-zA-Z0-9\_\-\.]{0,31}[\$]?)\-([\d]{2,4})\-([\d]{9,12})\_[a-zA-Z0-9\_\-]*\_dp[\d]{1,2}$/) {
+				if ((length($1) > 0) and (length($1) < 32)){
+					return $string;
+				} else {return 0;}
+			} else {return 0;}
 		} else {return 0;}
 	} elsif ($type eq "SOMETHINGELSE") {
 		return 0;
diff --git a/debian/changelog b/debian/changelog
index cbbcf08..4f69e87 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -88,6 +88,7 @@ x2goserver (4.1.0.0-0x2go1) UNRELEASED; urgency=low
   [ Guangzhou Nianguan Electronics Technology Co.Ltd. ]
   * New upstream version (4.1.0.0):
     - Add SupeReNicer support.
+    - Provide string sanitizers. Esp. a sanitizer for X2Go session IDs.
 
   [ Otto Kjell ]
   * New upstream version (4.1.0.0):

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goserver.git

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[X2Go-Commits] [x2goserver] 01/01: Provide string sanitizers. Esp. a sanitizer for X2Go session IDs.