This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch master in repository x2goserver. from a0a4680 release 4.0.1.15 (cherry-picked from release/4.0.1.x branch) new 4f5cfb8 Provide string sanitizers. Esp. a sanitizer for X2Go session IDs. The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: X2Go/Server/DB/PostgreSQL.pm | 28 ++++++++++++++-------------- X2Go/Server/DB/SQLite3.pm | 28 ++++++++++++++-------------- X2Go/Utils.pm | 16 ++++++++++++++-- debian/changelog | 1 + 4 files changed, 43 insertions(+), 30 deletions(-) -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goserver.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2goserver. commit 4f5cfb8b619f2d3f3c3c7edbfb7448d32a15246a Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Tue Apr 15 15:55:02 2014 +0200 Provide string sanitizers. Esp. a sanitizer for X2Go session IDs. --- X2Go/Server/DB/PostgreSQL.pm | 28 ++++++++++++++-------------- X2Go/Server/DB/SQLite3.pm | 28 ++++++++++++++-------------- X2Go/Utils.pm | 16 ++++++++++++++-- debian/changelog | 1 + 4 files changed, 43 insertions(+), 30 deletions(-) diff --git a/X2Go/Server/DB/PostgreSQL.pm b/X2Go/Server/DB/PostgreSQL.pm index 77a593e..8e0657a 100644 --- a/X2Go/Server/DB/PostgreSQL.pm +++ b/X2Go/Server/DB/PostgreSQL.pm @@ -179,7 +179,7 @@ sub dbsys_getmounts { init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my @mounts; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("select client, path from mounts where session_id='$sid'"); @@ -199,7 +199,7 @@ sub db_getmounts { init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my @mounts; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("select client, path from mounts_view where session_id='$sid'"); @@ -219,7 +219,7 @@ sub db_deletemount { init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $path=shift or die "argument \"path\" missed"; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("delete from mounts_view where session_id='$sid' and path='$path'"); @@ -232,7 +232,7 @@ sub db_insertmount { init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $path=shift or die "argument \"path\" missed"; my $client=shift or die "argument \"client\" missed"; my $res_ok=0; @@ -255,7 +255,7 @@ sub db_insertsession $display = sanitizer('num', $display) or die "argument \"display\" malformed"; my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id) values ('$display','$server','$uname','$sid')"); $sth->execute()or die $_; @@ -270,7 +270,7 @@ sub db_insertshadowsession $display = sanitizer('num', $display) or die "argument \"display\" malformed"; my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $shadreq_user=shift or die "argument \"shadreq_user\" missed"; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id) values ('$display','$server','$shadreq_user','$sid')"); @@ -293,7 +293,7 @@ sub db_createsession my $fs_port=shift or die"argument \"fs_port\" missed"; $fs_port = sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("update sessions_view set status='R',last_time=now(), cookie='$cookie',agent_pid='$pid',client='$client',gr_port='$gr_port', @@ -308,7 +308,7 @@ sub db_insertport init_db(); my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $sshport=shift or die "argument \"port\" missed"; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values ('$server','$sid','$sshport')"); @@ -322,7 +322,7 @@ sub db_rmport init_db(); my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $sshport=shift or die "argument \"port\" missed"; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("delete from used_ports where server='$server' and session_id='$sid' and port='$sshport'"); @@ -336,7 +336,7 @@ sub db_resume init_db(); my $client=shift or die "argument \"client\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $gr_port=shift or die "argument \"gr_port\" missed"; $gr_port = sanitizer('num', $gr_port) or die "argument \"gr_port\" malformed"; my $snd_port=shift or die "argument \"sound_port\" missed"; @@ -356,7 +356,7 @@ sub db_changestatus init_db(); my $status=shift or die "argument \"status\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("update sessions_view set last_time=now(),status='$status' where session_id = '$sid'"); $sth->execute()or die; @@ -368,7 +368,7 @@ sub db_getstatus { init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $status=''; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("select status from sessions_view where session_id = '$sid'"); @@ -446,7 +446,7 @@ sub db_getagent init_db(); my $agent; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("select agent_pid from sessions_view where session_id ='$sid'"); @@ -467,7 +467,7 @@ sub db_getdisplay init_db(); my $display; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_; my $sth=$dbh->prepare("select display from sessions_view where session_id ='$sid'"); diff --git a/X2Go/Server/DB/SQLite3.pm b/X2Go/Server/DB/SQLite3.pm index c3737ad..9acecde 100644 --- a/X2Go/Server/DB/SQLite3.pm +++ b/X2Go/Server/DB/SQLite3.pm @@ -152,7 +152,7 @@ sub db_getmounts { my $dbh = init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; check_user($sid); my @strings; my $sth=$dbh->prepare("select client, path from mounts where session_id=?"); @@ -172,7 +172,7 @@ sub db_deletemount { my $dbh = init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $path=shift or die "argument \"path\" missed"; check_user($sid); my $sth=$dbh->prepare("delete from mounts where session_id=? and path=?"); @@ -190,7 +190,7 @@ sub db_insertmount { my $dbh = init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $path=shift or die "argument \"path\" missed"; my $client=shift or die "argument \"client\" missed"; check_user($sid); @@ -215,7 +215,7 @@ sub db_insertsession $display = sanitizer('num', $display) or die "argument \"display\" malformed"; my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; check_user($sid); my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id, init_time, last_time) values (?, ?, ?, ?, datetime('now','localtime'), datetime('now','localtime'))"); @@ -232,7 +232,7 @@ sub db_insertshadowsession $display = sanitizer('num', $display) or die "argument \"display\" malformed"; my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $shadreq_user = shift or die "argument \"shadreq_user\" missed"; my $fake_sid = $sid; $fake_sid =~ s/$shadreq_user-/$realuser-/; @@ -259,7 +259,7 @@ sub db_createsession my $fs_port=shift or die"argument \"fs_port\" missed"; $fs_port = sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; check_user($sid); my $sth=$dbh->prepare("update sessions set status='R',last_time=datetime('now','localtime'),cookie=?,agent_pid=?, client=?,gr_port=?,sound_port=?,fs_port=? where session_id=? and uname=?"); @@ -288,7 +288,7 @@ sub db_createshadowsession my $fs_port=shift or die"argument \"fs_port\" missed"; $fs_port = sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $shadreq_user = shift or die "argument \"shadreq_user\" missed"; my $fake_sid = $sid; $fake_sid =~ s/^$shadreq_user-/$realuser-/; @@ -311,7 +311,7 @@ sub db_insertport my $dbh = init_db(); my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $sshport=shift or die "argument \"port\" missed"; my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values (?, ?, ?)"); check_user($sid); @@ -330,7 +330,7 @@ sub db_rmport my $dbh = init_db(); my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $sshport=shift or die "argument \"port\" missed"; my $sth=$dbh->prepare("delete from used_ports where server=? and session_id=? and port=?"); check_user($sid); @@ -348,7 +348,7 @@ sub db_resume my $dbh = init_db(); my $client=shift or die "argument \"client\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $gr_port=shift or die "argument \"gr_port\" missed"; $gr_port = sanitizer('num', $gr_port) or die "argument \"gr_port\" malformed"; my $snd_port=shift or die "argument \"snd_port\" missed"; @@ -373,7 +373,7 @@ sub db_changestatus my $dbh = init_db(); my $status=shift or die "argument \"status\" missed"; my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; check_user($sid); my $sth=$dbh->prepare("update sessions set last_time=datetime('now','localtime'), status=? where session_id = ? and uname=?"); @@ -391,7 +391,7 @@ sub db_getstatus { my $dbh = init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; check_user($sid); my $sth=$dbh->prepare("select status from sessions where session_id = ?"); $sth->execute($sid); @@ -484,7 +484,7 @@ sub db_getagent { my $dbh = init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $agent; check_user($sid); my $sth=$dbh->prepare("select agent_pid from sessions @@ -510,7 +510,7 @@ sub db_getdisplay { my $dbh = init_db(); my $sid=shift or die "argument \"session_id\" missed"; - $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed"; + $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed"; my $display; check_user($sid); my $sth=$dbh->prepare("select display from sessions diff --git a/X2Go/Utils.pm b/X2Go/Utils.pm index 7f647cc..8936a27 100644 --- a/X2Go/Utils.pm +++ b/X2Go/Utils.pm @@ -114,9 +114,21 @@ sub sanitizer { } else {return 0;} } elsif ($type eq "pnixusername") { $string =~ s/[^a-zA-Z0-9\_\-\.]//g; - if ($string =~ /^([a-zA-Z0-9\_\-\.]*)$/) { + if ($string =~ /^([a-zA-Z\_][a-zA-Z0-9\_\-\.]{0,31}[\$]?)$/) { $string = $1; - return $string; + if ((length($1) > 0) and (length($1) < 32)){ + return $string; + } else {return 0;} + } else {return 0;} + } elsif ($type eq "x2gosid") { + $string =~ s/[^a-zA-Z0-9\_\-\$\.]//g; + if ($string =~ /^([a-zA-Z0-9\_\-\$\.]*)$/) { + $string = $1; + if ($string =~ /^([a-zA-Z\_][a-zA-Z0-9\_\-\.]{0,31}[\$]?)\-([\d]{2,4})\-([\d]{9,12})\_[a-zA-Z0-9\_\-]*\_dp[\d]{1,2}$/) { + if ((length($1) > 0) and (length($1) < 32)){ + return $string; + } else {return 0;} + } else {return 0;} } else {return 0;} } elsif ($type eq "SOMETHINGELSE") { return 0; diff --git a/debian/changelog b/debian/changelog index cbbcf08..4f69e87 100644 --- a/debian/changelog +++ b/debian/changelog @@ -88,6 +88,7 @@ x2goserver (4.1.0.0-0x2go1) UNRELEASED; urgency=low [ Guangzhou Nianguan Electronics Technology Co.Ltd. ] * New upstream version (4.1.0.0): - Add SupeReNicer support. + - Provide string sanitizers. Esp. a sanitizer for X2Go session IDs. [ Otto Kjell ] * New upstream version (4.1.0.0): -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goserver.git
-
git-admin@x2go.org