[Opendnssec-commits] [svn.opendnssec.org/svn/dnssec] r5400 - in branches/OpenDNSSEC-1.3: . enforcer/ksm/include/ksm enforcer/utils

Sion Lloyd sion at nominet.org.uk
Fri Aug 12 15:30:17 CEST 2011


Author: sion
Date: 2011-08-12 15:30:17 +0200 (Fri, 12 Aug 2011)
New Revision: 5400

Modified:
   branches/OpenDNSSEC-1.3/NEWS
   branches/OpenDNSSEC-1.3/enforcer/ksm/include/ksm/ksmutil.h
   branches/OpenDNSSEC-1.3/enforcer/utils/ksmutil.c
Log:
Quote single quotes in mysql username and password, trac ticket #259, ported to the 1.3 branch.


Modified: branches/OpenDNSSEC-1.3/NEWS
===================================================================
--- branches/OpenDNSSEC-1.3/NEWS	2011-08-12 09:49:17 UTC (rev 5399)
+++ branches/OpenDNSSEC-1.3/NEWS	2011-08-12 13:30:17 UTC (rev 5400)
@@ -9,7 +9,10 @@
   on NSEC(3) RRs and the denial validity on other RRs.
 * Zonefetcher: Check inbound serial in transferred file, to prevent
   redundant zone transfers.
+* Bugfix #259: ods-ksmutil: Prevent MySQL username or password being interpreted
+  by the shell when running "ods-ksmutil setup"
 
+
 OpenDNSSEC 1.3.0 - 2011-07-12
 
 * Include simple-dnskey-mailer-plugin in dist.

Modified: branches/OpenDNSSEC-1.3/enforcer/ksm/include/ksm/ksmutil.h
===================================================================
--- branches/OpenDNSSEC-1.3/enforcer/ksm/include/ksm/ksmutil.h	2011-08-12 09:49:17 UTC (rev 5399)
+++ branches/OpenDNSSEC-1.3/enforcer/ksm/include/ksm/ksmutil.h	2011-08-12 13:30:17 UTC (rev 5400)
@@ -98,6 +98,7 @@
 int keyRoll(int zone_id, int policy_id, int key_type);
 int get_policy_name_from_id(KSM_ZONE *zone);
 int append_zone(xmlDocPtr doc, KSM_ZONE *zone);
+int ShellQuoteString(const char* string, char* buffer, size_t buflen);
 
 #ifdef __cplusplus
 }

Modified: branches/OpenDNSSEC-1.3/enforcer/utils/ksmutil.c
===================================================================
--- branches/OpenDNSSEC-1.3/enforcer/utils/ksmutil.c	2011-08-12 09:49:17 UTC (rev 5399)
+++ branches/OpenDNSSEC-1.3/enforcer/utils/ksmutil.c	2011-08-12 13:30:17 UTC (rev 5400)
@@ -478,6 +478,9 @@
     char *user = NULL;
     char *password = NULL;
 
+	char quoted_user[KSM_NAME_LENGTH];
+ 	char quoted_password[KSM_NAME_LENGTH];
+
     char* setup_command = NULL;
     char* lock_filename = NULL;
 
@@ -562,9 +565,37 @@
     else {
         /* MySQL setup */
         /* will look like: <SQL_BIN> -u <USER> -h <HOST> -P <PORT> -p<PASSWORD> <DBSCHEMA> < <SQL_SETUP> */
+
+		/* Get a quoted version of the username */
+		status = ShellQuoteString(user, quoted_user, KSM_NAME_LENGTH);
+		if (status != 0) {
+			printf("Failed to connect to database, username too long.\n");
+			db_disconnect(lock_fd);
+			StrFree(host);
+			StrFree(port);
+			StrFree(dbschema);
+			StrFree(user);
+			StrFree(password);
+			return(1);
+		}
+
+		/* Get a quoted version of the password */
+		status = ShellQuoteString(password, quoted_password, KSM_NAME_LENGTH);
+		if (status != 0) {
+			printf("Failed to connect to database, password too long.\n");
+			db_disconnect(lock_fd);
+			StrFree(host);
+			StrFree(port);
+			StrFree(dbschema);
+			StrFree(user);
+			StrFree(password);
+			return(1);
+		}
+
         StrAppend(&setup_command, SQL_BIN);
-        StrAppend(&setup_command, " -u ");
-        StrAppend(&setup_command, user);
+        StrAppend(&setup_command, " -u '");
+        StrAppend(&setup_command, quoted_user);
+		StrAppend(&setup_command, "'");
         if (host != NULL) {
             StrAppend(&setup_command, " -h ");
             StrAppend(&setup_command, host);
@@ -574,8 +605,9 @@
             }
         }
         if (password != NULL) {
-            StrAppend(&setup_command, " -p");
-            StrAppend(&setup_command, password);
+            StrAppend(&setup_command, " -p'");
+            StrAppend(&setup_command, quoted_password);
+			StrAppend(&setup_command, "'");
         }
         StrAppend(&setup_command, " ");
         StrAppend(&setup_command, dbschema);
@@ -8245,3 +8277,25 @@
 
     return(0);
 }
+
+int ShellQuoteString(const char* string, char* buffer, size_t buflen)
+{
+	size_t i;           /* Loop counter */
+	size_t j = 0;       /* Counter for new string */
+
+	size_t len = strlen(string);
+
+	if (string) {
+		for (i = 0; i < len; ++i) {
+			if (string[i] == '\'') {
+				buffer[j++] = '\'';
+				buffer[j++] = '\\';
+				buffer[j++] = '\'';
+			}
+			buffer[j++] = string[i];
+		}
+	}
+	buffer[j] = '\0';
+	return ( (j <= buflen) ? 0 : 1);
+}
+




More information about the Opendnssec-commits mailing list