[X2Go-Commits] [x2goserver] 01/01: Provide string sanitizers. Esp. a sanitizer for X2Go session IDs.
git-admin at x2go.org
git-admin at x2go.org
Tue Apr 15 15:55:07 CEST 2014
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch master
in repository x2goserver.
commit 4f5cfb8b619f2d3f3c3c7edbfb7448d32a15246a
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Tue Apr 15 15:55:02 2014 +0200
Provide string sanitizers. Esp. a sanitizer for X2Go session IDs.
---
X2Go/Server/DB/PostgreSQL.pm | 28 ++++++++++++++--------------
X2Go/Server/DB/SQLite3.pm | 28 ++++++++++++++--------------
X2Go/Utils.pm | 16 ++++++++++++++--
debian/changelog | 1 +
4 files changed, 43 insertions(+), 30 deletions(-)
diff --git a/X2Go/Server/DB/PostgreSQL.pm b/X2Go/Server/DB/PostgreSQL.pm
index 77a593e..8e0657a 100644
--- a/X2Go/Server/DB/PostgreSQL.pm
+++ b/X2Go/Server/DB/PostgreSQL.pm
@@ -179,7 +179,7 @@ sub dbsys_getmounts
{
init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my @mounts;
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("select client, path from mounts where session_id='$sid'");
@@ -199,7 +199,7 @@ sub db_getmounts
{
init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my @mounts;
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("select client, path from mounts_view where session_id='$sid'");
@@ -219,7 +219,7 @@ sub db_deletemount
{
init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $path=shift or die "argument \"path\" missed";
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("delete from mounts_view where session_id='$sid' and path='$path'");
@@ -232,7 +232,7 @@ sub db_insertmount
{
init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $path=shift or die "argument \"path\" missed";
my $client=shift or die "argument \"client\" missed";
my $res_ok=0;
@@ -255,7 +255,7 @@ sub db_insertsession
$display = sanitizer('num', $display) or die "argument \"display\" malformed";
my $server=shift or die "argument \"server\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id) values ('$display','$server','$uname','$sid')");
$sth->execute()or die $_;
@@ -270,7 +270,7 @@ sub db_insertshadowsession
$display = sanitizer('num', $display) or die "argument \"display\" malformed";
my $server=shift or die "argument \"server\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $shadreq_user=shift or die "argument \"shadreq_user\" missed";
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id) values ('$display','$server','$shadreq_user','$sid')");
@@ -293,7 +293,7 @@ sub db_createsession
my $fs_port=shift or die"argument \"fs_port\" missed";
$fs_port = sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("update sessions_view set status='R',last_time=now(),
cookie='$cookie',agent_pid='$pid',client='$client',gr_port='$gr_port',
@@ -308,7 +308,7 @@ sub db_insertport
init_db();
my $server=shift or die "argument \"server\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $sshport=shift or die "argument \"port\" missed";
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values ('$server','$sid','$sshport')");
@@ -322,7 +322,7 @@ sub db_rmport
init_db();
my $server=shift or die "argument \"server\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $sshport=shift or die "argument \"port\" missed";
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("delete from used_ports where server='$server' and session_id='$sid' and port='$sshport'");
@@ -336,7 +336,7 @@ sub db_resume
init_db();
my $client=shift or die "argument \"client\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $gr_port=shift or die "argument \"gr_port\" missed";
$gr_port = sanitizer('num', $gr_port) or die "argument \"gr_port\" malformed";
my $snd_port=shift or die "argument \"sound_port\" missed";
@@ -356,7 +356,7 @@ sub db_changestatus
init_db();
my $status=shift or die "argument \"status\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("update sessions_view set last_time=now(),status='$status' where session_id = '$sid'");
$sth->execute()or die;
@@ -368,7 +368,7 @@ sub db_getstatus
{
init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $status='';
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("select status from sessions_view where session_id = '$sid'");
@@ -446,7 +446,7 @@ sub db_getagent
init_db();
my $agent;
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("select agent_pid from sessions_view
where session_id ='$sid'");
@@ -467,7 +467,7 @@ sub db_getdisplay
init_db();
my $display;
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $dbh=DBI->connect("dbi:Pg:dbname=$db;host=$host;port=$port;sslmode=$sslmode", "$dbuser", "$dbpass",{AutoCommit => 1}) or die $_;
my $sth=$dbh->prepare("select display from sessions_view
where session_id ='$sid'");
diff --git a/X2Go/Server/DB/SQLite3.pm b/X2Go/Server/DB/SQLite3.pm
index c3737ad..9acecde 100644
--- a/X2Go/Server/DB/SQLite3.pm
+++ b/X2Go/Server/DB/SQLite3.pm
@@ -152,7 +152,7 @@ sub db_getmounts
{
my $dbh = init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
check_user($sid);
my @strings;
my $sth=$dbh->prepare("select client, path from mounts where session_id=?");
@@ -172,7 +172,7 @@ sub db_deletemount
{
my $dbh = init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $path=shift or die "argument \"path\" missed";
check_user($sid);
my $sth=$dbh->prepare("delete from mounts where session_id=? and path=?");
@@ -190,7 +190,7 @@ sub db_insertmount
{
my $dbh = init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $path=shift or die "argument \"path\" missed";
my $client=shift or die "argument \"client\" missed";
check_user($sid);
@@ -215,7 +215,7 @@ sub db_insertsession
$display = sanitizer('num', $display) or die "argument \"display\" malformed";
my $server=shift or die "argument \"server\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
check_user($sid);
my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id, init_time, last_time) values
(?, ?, ?, ?, datetime('now','localtime'), datetime('now','localtime'))");
@@ -232,7 +232,7 @@ sub db_insertshadowsession
$display = sanitizer('num', $display) or die "argument \"display\" malformed";
my $server=shift or die "argument \"server\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $shadreq_user = shift or die "argument \"shadreq_user\" missed";
my $fake_sid = $sid;
$fake_sid =~ s/$shadreq_user-/$realuser-/;
@@ -259,7 +259,7 @@ sub db_createsession
my $fs_port=shift or die"argument \"fs_port\" missed";
$fs_port = sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
check_user($sid);
my $sth=$dbh->prepare("update sessions set status='R',last_time=datetime('now','localtime'),cookie=?,agent_pid=?,
client=?,gr_port=?,sound_port=?,fs_port=? where session_id=? and uname=?");
@@ -288,7 +288,7 @@ sub db_createshadowsession
my $fs_port=shift or die"argument \"fs_port\" missed";
$fs_port = sanitizer('num', $fs_port) or die "argument \"fs_port\" malformed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $shadreq_user = shift or die "argument \"shadreq_user\" missed";
my $fake_sid = $sid;
$fake_sid =~ s/^$shadreq_user-/$realuser-/;
@@ -311,7 +311,7 @@ sub db_insertport
my $dbh = init_db();
my $server=shift or die "argument \"server\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $sshport=shift or die "argument \"port\" missed";
my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values (?, ?, ?)");
check_user($sid);
@@ -330,7 +330,7 @@ sub db_rmport
my $dbh = init_db();
my $server=shift or die "argument \"server\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $sshport=shift or die "argument \"port\" missed";
my $sth=$dbh->prepare("delete from used_ports where server=? and session_id=? and port=?");
check_user($sid);
@@ -348,7 +348,7 @@ sub db_resume
my $dbh = init_db();
my $client=shift or die "argument \"client\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $gr_port=shift or die "argument \"gr_port\" missed";
$gr_port = sanitizer('num', $gr_port) or die "argument \"gr_port\" malformed";
my $snd_port=shift or die "argument \"snd_port\" missed";
@@ -373,7 +373,7 @@ sub db_changestatus
my $dbh = init_db();
my $status=shift or die "argument \"status\" missed";
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
check_user($sid);
my $sth=$dbh->prepare("update sessions set last_time=datetime('now','localtime'),
status=? where session_id = ? and uname=?");
@@ -391,7 +391,7 @@ sub db_getstatus
{
my $dbh = init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
check_user($sid);
my $sth=$dbh->prepare("select status from sessions where session_id = ?");
$sth->execute($sid);
@@ -484,7 +484,7 @@ sub db_getagent
{
my $dbh = init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $agent;
check_user($sid);
my $sth=$dbh->prepare("select agent_pid from sessions
@@ -510,7 +510,7 @@ sub db_getdisplay
{
my $dbh = init_db();
my $sid=shift or die "argument \"session_id\" missed";
- $sid = sanitizer('pnixusername', $sid) or die "argument \"session_id\" malformed";
+ $sid = sanitizer('x2gosid', $sid) or die "argument \"session_id\" malformed";
my $display;
check_user($sid);
my $sth=$dbh->prepare("select display from sessions
diff --git a/X2Go/Utils.pm b/X2Go/Utils.pm
index 7f647cc..8936a27 100644
--- a/X2Go/Utils.pm
+++ b/X2Go/Utils.pm
@@ -114,9 +114,21 @@ sub sanitizer {
} else {return 0;}
} elsif ($type eq "pnixusername") {
$string =~ s/[^a-zA-Z0-9\_\-\.]//g;
- if ($string =~ /^([a-zA-Z0-9\_\-\.]*)$/) {
+ if ($string =~ /^([a-zA-Z\_][a-zA-Z0-9\_\-\.]{0,31}[\$]?)$/) {
$string = $1;
- return $string;
+ if ((length($1) > 0) and (length($1) < 32)){
+ return $string;
+ } else {return 0;}
+ } else {return 0;}
+ } elsif ($type eq "x2gosid") {
+ $string =~ s/[^a-zA-Z0-9\_\-\$\.]//g;
+ if ($string =~ /^([a-zA-Z0-9\_\-\$\.]*)$/) {
+ $string = $1;
+ if ($string =~ /^([a-zA-Z\_][a-zA-Z0-9\_\-\.]{0,31}[\$]?)\-([\d]{2,4})\-([\d]{9,12})\_[a-zA-Z0-9\_\-]*\_dp[\d]{1,2}$/) {
+ if ((length($1) > 0) and (length($1) < 32)){
+ return $string;
+ } else {return 0;}
+ } else {return 0;}
} else {return 0;}
} elsif ($type eq "SOMETHINGELSE") {
return 0;
diff --git a/debian/changelog b/debian/changelog
index cbbcf08..4f69e87 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -88,6 +88,7 @@ x2goserver (4.1.0.0-0x2go1) UNRELEASED; urgency=low
[ Guangzhou Nianguan Electronics Technology Co.Ltd. ]
* New upstream version (4.1.0.0):
- Add SupeReNicer support.
+ - Provide string sanitizers. Esp. a sanitizer for X2Go session IDs.
[ Otto Kjell ]
* New upstream version (4.1.0.0):
--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goserver.git
More information about the x2go-commits
mailing list