Changeset 160

Timestamp:

11/02/11 18:12:35 (13 years ago)

Author:

Kris Deugau

Message:

/trunk

Use bind parameters in DNSDB::getDomRecs for filter
Make sure A records get an IPv4 address, and AAAA records get

a v6 address in DNSDB::addRec

Normalize and clean up handling for filtering and starts-with

• common ops now done along with the rest of the global ops
• filtering arguments now pushed into a global
• use bind parameters in SQL (this should transfer OK to subs in DNSDB.pm later)

Add a couple new ##fixme's for scope checks
Force appending of domain or DOMAIN on record or default record

respectively, if they don't already have that at the end

Retrieve "old" info for logging record changes
Remove some stale commented fragments and ##fixme's

Location:

trunk

Files:

• DNSDB.pm (modified) (3 diffs)
• dns.cgi (modified) (29 diffs)

trunk/DNSDB.pm

@@ -1212 +1212 @@
 
   my $filter = shift || '';
-  # keep the nasties down, since we can't ?-sub this bit.  :/
-  # note this is chars allowed in DNS hostnames
-  $filter =~ s/[^a-zA-Z0-9_.:-]//g;
 
   $type = 'y' if $type eq 'def';
@@ -1228 +1225 @@
   }
   $sql .= " AND NOT r.type=$reverse_typemap{SOA}";
-  $sql .= " AND host ILIKE '%$filter%'" if $filter;
+  $sql .= " AND host ~* ?" if $filter;
   # use alphaorder column for "correct" ordering of sort-by-type instead of DNS RR type number
   $sql .= " ORDER BY ".($order eq 'type' ? 't.alphaorder' : "r.$order")." $direction";
@@ -1291 +1288 @@
 
   # Validation
+  if ($rectype == $reverse_typemap{A}) {
+    return ("FAIL", "IPv4 addresses must be in the format n.n.n.n")
+        unless $val =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/;
+  }
+  if ($rectype == $reverse_typemap{AAAA}) {
+    return ("FAIL", "IPv6 addresses must be in the format h:h:h::h")
+        unless $val =~ /^[a-fA-F0-9:]+$/
+  }
   if ($rectype == $reverse_typemap{A} or $rectype == $reverse_typemap{AAAA}) {
     my $tmpip = new NetAddr::IP $val or

trunk/dns.cgi

@@ -37 +37 @@
 
 my @debugbits;  # temp, to be spit out near the end of processing
-my $debugenv = 1;
+my $debugenv = 0;
 
 # Let's do these templates right...
@@ -86 +86 @@
 
 # per-page startwith, filter, searchsubs
+
+##fixme:  complain-munge-and-continue with non-"[a-z0-9-.]" filter and startwith
+$webvar{startwith} =~ s/^(0-9|[a-z]).*/$1/ if $webvar{startwith};
+# not much call for chars not allowed in domain names
+$webvar{filter} =~ s/[^a-zA-Z0-9_.:@-]//g if $webvar{filter};
+
 $session->param($webvar{page}.'startwith', $webvar{startwith}) if defined($webvar{startwith});
 $session->param($webvar{page}.'filter', $webvar{filter}) if defined($webvar{filter});
@@ -98 +104 @@
 my $filter = $session->param($webvar{page}.'filter');
 my $searchsubs = $session->param($webvar{page}.'searchsubs');
+
+# ... and assemble the args
+my @filterargs;
+push @filterargs, "^[$startwith]" if $startwith;
+push @filterargs, $filter if $filter;
 
 # nrgh, can't handle login here because we don't have a database handle to check the user/pass with yet
@@ -121 +132 @@
 use warnings qw(uninitialized);
 
-# default
-#my $perpage = 15;
-my $perpage = 5;
+# pagination
+my $perpage = 15;
 my $offset = ($webvar{offset} ? $webvar{offset} : 0);
 
@@ -133 +143 @@
 # note this is not *absolutely* fatal, since there's a default dbname/user/pass in DNSDB.pm
 # we'll catch a bad DB connect string a little further down.
+##fixme:  pass params to loadConfig, and use them there, to allow one codebase to support multiple sites
 if (!loadConfig()) {
   warn "Using default configuration;  unable to load custom settings: $DNSDB::errstr";
@@ -288 +299 @@
         unless ($permissions{admin} || $permissions{domain_create});
 
+##fixme:  scope check on $webvar{group}
   my ($code,$msg) = addDomain($dbh,$webvar{domain},$webvar{group},($webvar{makeactive} eq 'on' ? 1 : 0));
 
@@ -303 +315 @@
         unless ($permissions{admin} || $permissions{domain_delete});
 
+##fixme: scope check on $webvar{id}
   $page->param(id => $webvar{id});
 
@@ -317 +330 @@
     my ($code,$msg) = delDomain($dbh, $webvar{id});
     if ($code ne 'OK') {
-# need to find failure mode
       logaction($webvar{id}, $session->param("username"), $pargroup, "Failed to delete domain $dom ($msg)");
       changepage(page => "domlist", errmsg => "Error deleting domain $dom: $msg");
@@ -340 +352 @@
     $page->param(errmsg => "You are not permitted to view or change the requested ".
         ($webvar{defrec} eq 'y' ? "group's default records" : "domain's records"));
-    $page->param(perm_err => 1);
+    $page->param(perm_err => 1);        # this causes the template to skip the record listing output.
+##fixme:  we could skip down to the end of the $webvar{page} eq 'reclist' block...
   }
   
@@ -354 +367 @@
 # ACLs
     $page->param(record_create  => ($permissions{admin} || $permissions{record_create}) );
-#  $page->param(record_edit     => ($permissions{admin} || $permissions{record_edit}) );
+# we don't have any general edit links on the page;  they're all embedded in the TMPL_LOOP
+#    $page->param(record_edit   => ($permissions{admin} || $permissions{record_edit}) );
     $page->param(record_delete  => ($permissions{admin} || $permissions{record_delete}) );
 
@@ -415 +429 @@
   }
 
-
   if ($webvar{recact} eq 'new') {
 
@@ -433 +446 @@
         unless ($permissions{admin} || $permissions{record_create});
 
+##fixme: this should probably go in DNSDB::addRec(), need to ponder what to do about PTR and friends
     # prevent out-of-domain records from getting added by appending the domain, or DOMAIN for default records
     my $pname = ($webvar{defrec} eq 'y' ? 'DOMAIN' : domainName($dbh,$webvar{parentid}));
@@ -505 +519 @@
     $webvar{name} =~ s/\.*$/\.$pname/ if $webvar{name} !~ /$pname$/;
 
-##fixme:  get current/previous record info so we can log "updated 'foo A 1.2.3.4' to 'foo A 2.3.4.5'"
+    # get current/previous record info so we can log "updated 'foo A 1.2.3.4' to 'foo A 2.3.4.5'"
+    my $oldrec = getRecLine($dbh, $webvar{defrec}, $webvar{id});
 
     my ($code,$msg) = updateRec($dbh,$webvar{defrec},$webvar{id},
@@ -513 +528 @@
     if ($code eq 'OK') {
       if ($webvar{defrec} eq 'y') {
-        my $restr = "Updated default record '$webvar{name} $typemap{$webvar{type}} $webvar{address}', TTL $webvar{ttl}";
+        my $restr = "Updated default record from '$oldrec->{host} $typemap{$oldrec->{type}} $oldrec->{val}', TTL $oldrec->{ttl}\n".
+                "to '$webvar{name} $typemap{$webvar{type}} $webvar{address}', TTL $webvar{ttl}";
         logaction(0, $session->param("username"), $webvar{parentid}, $restr);
         changepage(page => "reclist", id => $webvar{parentid}, defrec => $webvar{defrec}, resultmsg => $restr);
       } else {
-        my $restr = "Updated record '$webvar{name} $typemap{$webvar{type}} $webvar{address}', TTL $webvar{ttl}";
+        my $restr = "Updated record from '$oldrec->{host} $typemap{$oldrec->{type}} $oldrec->{val}', TTL $oldrec->{ttl}\n".
+                "to '$webvar{name} $typemap{$webvar{type}} $webvar{address}', TTL $webvar{ttl}";
         logaction($webvar{parentid}, $session->param("username"), parentID($webvar{id}, 'rec', 'group'), $restr);
         changepage(page => "reclist", id => $webvar{parentid}, defrec => $webvar{defrec}, resultmsg => $restr);
@@ -1147 +1164 @@
   }
 
-#} elsif ($webvar{page} eq 'edituser') {
-
 } elsif ($webvar{page} eq 'dnsq') {
 
@@ -1496 +1511 @@
   $page->param(ttl      => $soa{ttl});
 
-#  $startwith = $session->param($webvar{page}.'startwith');
-#  $filter = $session->param($webvar{page}.'filter');
-
   my $foo2 = getDomRecs($dbh,$def,$id,$perpage,$webvar{offset},$sortby,$sortorder,$filter);
 
@@ -1650 +1662 @@
 sub listdomains {
 
-#  $startwith = $session->param($webvar{page}.'startwith');
-#  $filter = $session->param($webvar{page}.'filter');
   $searchsubs = $session->param($webvar{page}.'searchsubs');
 
@@ -1659 +1669 @@
   $page->param(domain_delete    => ($permissions{admin} || $permissions{domain_delete}) );
 
-##fixme:  $logingroup or $curgroup?
   my @childgroups;
   getChildren($dbh, $curgroup, \@childgroups, 'all') if $searchsubs;
@@ -1665 +1674 @@
 
   my $sql = "SELECT count(*) FROM domains WHERE group_id IN ($curgroup".($childlist ? ",$childlist" : '').")".
-        ($startwith ? " AND domain ~* '^[$startwith]'" : '').
-        ($filter ? " AND domain ~* '$filter'" : '');
+        ($startwith ? " AND domain ~* ?" : '').
+        ($filter ? " AND domain ~* ?" : '');
   my $sth = $dbh->prepare($sql);
-  $sth->execute;
+  $sth->execute(@filterargs);
   my ($count) = $sth->fetchrow_array;
 
@@ -1687 +1696 @@
   fill_colheads($sortby, $sortorder, \@cols, \%colheads);
 
-#  $page->param(sortorder => $sortorder);
   # hack! hack! pthbttt.  have to rethink the status column storage,
   # or inactive comes "before" active.  *sigh*
@@ -1707 +1715 @@
         " INNER JOIN groups ON domains.group_id=groups.group_id".
         " WHERE domains.group_id IN ($curgroup".($childlist ? ",$childlist" : '').")".
-##fixme:  don't do variable subs in SQL, use placeholders and params in ->execute()
-        ($startwith ? " AND domain ~* '^[$startwith]'" : '').
-        ($filter ? " AND domain ~* '$filter'" : '').
+        ($startwith ? " AND domain ~* ?" : '').
+        ($filter ? " AND domain ~* ?" : '').
         " ORDER BY ".($sortby eq 'group' ? 'groups.group_name' : $sortby).
         " $sortorder ".($offset eq 'all' ? '' : " LIMIT $perpage OFFSET ".$offset*$perpage);
   $sth = $dbh->prepare($sql);
-  $sth->execute;
+  $sth->execute(@filterargs);
   my $rownum = 0;
   while (my @data = $sth->fetchrow_array) {
@@ -1722 +1729 @@
     $row{group} = $data[3];
     $row{bg} = ($rownum++)%2;
-#    $row{mkactive} = ($data[2] eq 'inactive' ? 1 : 0);
     $row{mkactive} = !$data[2];
     $row{sid} = $sid;
@@ -1729 +1735 @@
     $row{domain_edit} = ($permissions{admin} || $permissions{domain_edit});
     $row{domain_delete} = ($permissions{admin} || $permissions{domain_delete});
-##fixme:  need to clean up status indicator/usage/inversion
     push @domlist, \%row;
   }
@@ -1744 +1749 @@
     $page->param(errmsg => "You are not permitted to view the requested group");
     $curgroup = $logingroup;
-#    changepage(page => grpman, errmsg => "You are not permitted to view the requested group");
-#    return;
-  }
-# if ( grep { eq $curgroup }, @childlist ) {
-#   errmsg => "You are not permitted to view this group"
-#    return;
-# }
+  }
 
   my @childgroups;
@@ -1757 +1756 @@
 
   my $sql = "SELECT count(*) FROM groups WHERE parent_group_id IN ($curgroup".($childlist ? ",$childlist" : '').")".
-        ($startwith ? " AND group_name ~* '^[$startwith]'" : '').
-        ($filter ? " AND group_name ~* '$filter'" : '');
+        ($startwith ? " AND group_name ~* ?" : '').
+        ($filter ? " AND group_name ~* ?" : '');
   my $sth = $dbh->prepare($sql);
-
-  $sth->execute;
+  $sth->execute(@filterargs);
   my ($count) = ($sth->fetchrow_array);
+
 # fill page count and first-previous-next-last-all bits
-##fixme - hardcoded group bit
   fill_pgcount($count,"groups",'');
   fill_fpnla($count);
@@ -1794 +1792 @@
 
   my @grouplist;
-  $sth = $dbh->prepare("SELECT g.group_id, g.group_name, g2.group_name, ".
+  $sql = "SELECT g.group_id, g.group_name, g2.group_name, ".
         "count(distinct(u.username)) AS nusers, count(distinct(d.domain)) AS ndomains ".
         "FROM groups g ".
@@ -1801 +1799 @@
         "LEFT OUTER JOIN domains d ON d.group_id=g.group_id ".
         "WHERE g.parent_group_id IN ($curgroup".($childlist ? ",$childlist" : '').") ".
-##fixme:  don't do variable subs in SQL, use placeholders and params in ->execute()
-        ($startwith ? " AND g.group_name ~* '^[$startwith]'" : '').
-        ($filter ? " AND g.group_name ~* '$filter'" : '').
+        ($startwith ? " AND g.group_name ~* ?" : '').
+        ($filter ? " AND g.group_name ~* ?" : '').
         " GROUP BY g.group_id, g.group_name, g2.group_name ".
         " ORDER BY $sortby $sortorder ".
-        ($offset eq 'all' ? '' : " LIMIT $perpage OFFSET ".$offset*$perpage));
-  $sth->execute;
+        ($offset eq 'all' ? '' : " LIMIT $perpage OFFSET ".$offset*$perpage);
+  $sth = $dbh->prepare($sql);
+  $sth->execute(@filterargs);
 
   my $rownum = 0;
@@ -1866 +1864 @@
 
   my $sql = "SELECT count(*) FROM users WHERE group_id IN ($curgroup".($childlist ? ",$childlist" : '').")".
-        ($startwith ? " AND username ~* '^[$startwith]'" : '').
-        ($filter ? " AND username ~* '$filter'" : '');
+        ($startwith ? " AND username ~* ?" : '').
+        ($filter ? " AND username ~* ?" : '');
   my $sth = $dbh->prepare($sql);
-  $sth->execute;
+  $sth->execute(@filterargs);
   my ($count) = ($sth->fetchrow_array);
 
@@ -1907 +1905 @@
         "INNER JOIN groups g ON u.group_id=g.group_id ".
         "WHERE u.group_id IN ($curgroup".($childlist ? ",$childlist" : '').")".
-##fixme:  don't do variable subs in SQL, use placeholders and params in ->execute()
-        ($startwith ? " AND u.username ~* '^[$startwith]'" : '').
-        ($filter ? " AND u.username ~* '$filter'" : '').
+        ($startwith ? " AND u.username ~* ?" : '').
+        ($filter ? " AND u.username ~* ?" : '').
         " ORDER BY $sortby $sortorder ".
         ($offset eq 'all' ? '' : " LIMIT $perpage OFFSET ".$offset*$perpage);
 
   $sth = $dbh->prepare($sql);
-  $sth->execute;
+  $sth->execute(@filterargs);
 
   my $rownum = 0;