Changeset 508 for trunk


Ignore:
Timestamp:
05/09/13 16:10:50 (12 years ago)
Author:
Kris Deugau
Message:

/trunk

Add some extra fencing aroung the sortorder and sortby arguments to
various get*List methods to prevent SQL injection attacks. See #30.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • TabularUnified trunk/DNSDB.pm

    r506 r508  
    25912591
    25922592  # protection against bad or missing arguments
    2593   $args{sortorder} = 'ASC' if !$args{sortorder};
     2593  $args{sortorder} = 'ASC' if !$args{sortorder} || !grep /^$args{sortorder}$/, ('ASC','DESC');
     2594  $args{sortby} = 'group' if !$args{sortby} || $args{sortby} !~ /^[\w_.]+$/;
    25942595  $args{offset} = 0 if !$args{offset} || $args{offset} !~ /^(?:all|\d+)$/;
    25952596
     
    28262827
    28272828  # protection against bad or missing arguments
    2828   $args{sortorder} = 'ASC' if !$args{sortorder};
    2829   $args{sortby} = 'u.username' if !$args{sortby};
     2829  $args{sortorder} = 'ASC' if !$args{sortorder} || !grep /^$args{sortorder}$/, ('ASC','DESC');
     2830  $args{sortby} = 'u.username' if !$args{sortby} || $args{sortby} !~ /^[\w_.]+$/;
    28302831  $args{offset} = 0 if !$args{offset} || $args{offset} !~ /^(?:all|\d+)$/;
    28312832
     
    32933294
    32943295  # protection against bad or missing arguments
    3295   $args{sortorder} = 'ASC' if !$args{sortorder};
    3296   $args{sortby} = 'l.description' if !$args{sortby};
     3296  $args{sortorder} = 'ASC' if !$args{sortorder} || !grep /^$args{sortorder}$/, ('ASC','DESC');
     3297  $args{sortby} = 'l.description' if !$args{sortby} || $args{sortby} !~ /^[\w_.]+$/;
    32973298  $args{offset} = 0 if !$args{offset} || $args{offset} !~ /^(?:all|\d+)$/;
    32983299
     
    34953496
    34963497  # protection against bad or missing arguments
    3497   $args{sortorder} = 'ASC' if !$args{sortorder};
    3498   $args{sortby} = 'host' if !$args{sortby} && $args{revrec} eq 'n';     # default sort by host on domain record list
    3499   $args{sortby} = 'val' if !$args{sortby} && $args{revrec} eq 'y';      # default sort by IP on revzone record list
     3498  $args{sortorder} = 'ASC' if !$args{sortorder} || !grep /^$args{sortorder}$/, ('ASC','DESC');
     3499  my $defsort = 'host' if $args{revrec} eq 'n';     # default sort by host on domain record list
     3500  my $defsort = 'val' if $args{revrec} eq 'y';      # default sort by IP on revzone record list
     3501  $args{sortby} = $defsort if !$args{revrec};
     3502  $args{sortby} = $defsort if $args{sortby} !~ /^[\w_.]+$/;
    35003503  $args{offset} = 0 if !$args{offset} || $args{offset} !~ /^(?:all|\d+)$/; 
    35013504  my $perpage = ($args{nrecs} ? $args{nrecs} : $config{perpage});
     
    40514054
    40524055  # Sorting defaults
    4053   $args{sortby} = 'stamp' if !$args{sortby};
    4054   $args{sortorder} = 'DESC' if !$args{sortorder};
     4056  $args{sortorder} = 'DESC' if !$args{sortorder} || !grep /^$args{sortorder}$/, ('ASC','DESC');
     4057  $args{sortby} = 'stamp' if !$args{sortby} || $args{sortby} !~ /^[\w_.]+$/;
    40554058  $args{offset} = 0 if !$args{offset} || $args{offset} !~ /^(?:all|\d+)$/;
    40564059
Note: See TracChangeset for help on using the changeset viewer.