Changeset 509 for trunk


Ignore:
Timestamp:
05/09/13 18:05:52 (12 years ago)
Author:
Kris Deugau
Message:

/trunk

Add fences around curgroup and childlist arguments in several get*List
methods to prevent SQL injection. Unlike the sortorder and sortby
updates in r508, curgroup has no fallback, and arguably childlist has
no reasonable one, so the methods fail outright instead of continuing.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/DNSDB.pm

    r508 r509  
    22252225  my %args = @_;
    22262226
     2227  # Fail on bad curgroup argument.  There's no sane fallback on this one.
     2228  if (!$args{curgroup} || $args{curgroup} !~ /^\d+$/) {
     2229    $errstr = "Bad or missing curgroup argument";
     2230    return;
     2231  }
     2232  # Fail on bad childlist argument.  This could be sanely ignored if bad, maybe.
     2233  if ($args{childlist} && $args{childlist} !~ /^[\d,]+$/) {
     2234    $errstr = "Bad childlist argument";
     2235    return;
     2236  }
     2237
    22272238  my @filterargs;
    22282239  $args{startwith} = undef if $args{startwith} && $args{startwith} !~ /^(?:[a-z]|0-9)$/;
     
    22632274  $args{sortorder} = 'ASC' if !$args{sortorder} || !grep /^$args{sortorder}$/, ('ASC','DESC');
    22642275  $args{offset} = 0 if !$args{offset} || $args{offset} !~ /^(?:all|\d+)$/;
     2276
     2277  # Fail on bad curgroup argument.  There's no sane fallback on this one.
     2278  if (!$args{curgroup} || $args{curgroup} !~ /^\d+$/) {
     2279    $errstr = "Bad or missing curgroup argument";
     2280    return;
     2281  }
     2282  # Fail on bad childlist argument.  This could be sanely ignored if bad, maybe.
     2283  if ($args{childlist} && $args{childlist} !~ /^[\d,]+$/) {
     2284    $errstr = "Bad childlist argument";
     2285    return;
     2286  }
    22652287
    22662288  my @filterargs;
     
    25582580  my %args = @_;
    25592581
     2582  # Fail on bad curgroup argument.  There's no sane fallback on this one.
     2583  if (!$args{curgroup} || $args{curgroup} !~ /^\d+$/) {
     2584    $errstr = "Bad or missing curgroup argument";
     2585    return;
     2586  }
     2587  # Fail on bad childlist argument.  This could be sanely ignored if bad, maybe.
     2588  if ($args{childlist} && $args{childlist} !~ /^[\d,]+$/) {
     2589    $errstr = "Bad childlist argument";
     2590    return;
     2591  }
     2592
    25602593  my @filterargs;
    2561 
    25622594  $args{startwith} = undef if $args{startwith} && $args{startwith} !~ /^(?:[a-z]|0-9)$/;
    25632595  push @filterargs, "^$args{startwith}" if $args{startwith};
     
    25842616  my %args = @_;
    25852617
     2618  # Fail on bad curgroup argument.  There's no sane fallback on this one.
     2619  if (!$args{curgroup} || $args{curgroup} !~ /^\d+$/) {
     2620    $errstr = "Bad or missing curgroup argument";
     2621    return;
     2622  }
     2623  # Fail on bad childlist argument.  This could be sanely ignored if bad, maybe.
     2624  if ($args{childlist} && $args{childlist} !~ /^[\d,]+$/) {
     2625    $errstr = "Bad childlist argument";
     2626    return;
     2627  }
     2628
    25862629  my @filterargs;
    2587 
    25882630  $args{startwith} = undef if $args{startwith} && $args{startwith} !~ /^(?:[a-z]|0-9)$/;
    25892631  push @filterargs, "^$args{startwith}" if $args{startwith};
     
    27862828  my %args = @_;
    27872829
     2830  # Fail on bad curgroup argument.  There's no sane fallback on this one.
     2831  if (!$args{curgroup} || $args{curgroup} !~ /^\d+$/) {
     2832    $errstr = "Bad or missing curgroup argument";
     2833    return;
     2834  }
     2835  # Fail on bad childlist argument.  This could be sanely ignored if bad, maybe.
     2836  if ($args{childlist} && $args{childlist} !~ /^[\d,]+$/) {
     2837    $errstr = "Bad childlist argument";
     2838    return;
     2839  }
     2840
    27882841  my @filterargs;
    2789 
    27902842  $args{startwith} = undef if $args{startwith} && $args{startwith} !~ /^(?:[a-z]|0-9)$/;
    27912843  push @filterargs, "^$args{startwith}" if $args{startwith};
    27922844  push @filterargs, $args{filter} if $args{filter};
    2793 
    27942845
    27952846  my $sql = "SELECT count(*) FROM users ".
     
    28152866  my %args = @_;
    28162867
     2868  # Fail on bad curgroup argument.  There's no sane fallback on this one.
     2869  if (!$args{curgroup} || $args{curgroup} !~ /^\d+$/) {
     2870    $errstr = "Bad or missing curgroup argument";
     2871    return;
     2872  }
     2873  # Fail on bad childlist argument.  This could be sanely ignored if bad, maybe.
     2874  if ($args{childlist} && $args{childlist} !~ /^[\d,]+$/) {
     2875    $errstr = "Bad childlist argument";
     2876    return;
     2877  }
     2878
    28172879  my @filterargs;
    2818 
    28192880  $args{startwith} = undef if $args{startwith} && $args{startwith} !~ /^(?:[a-z]|0-9)$/;
    28202881  push @filterargs, "^$args{startwith}" if $args{startwith};
     
    32583319  my %args = @_;
    32593320
     3321  # Fail on bad curgroup argument.  There's no sane fallback on this one.
     3322  if (!$args{curgroup} || $args{curgroup} !~ /^\d+$/) {
     3323    $errstr = "Bad or missing curgroup argument";
     3324    return;
     3325  }
     3326  # Fail on bad childlist argument.  This could be sanely ignored if bad, maybe.
     3327  if ($args{childlist} && $args{childlist} !~ /^[\d,]+$/) {
     3328    $errstr = "Bad childlist argument";
     3329    return;
     3330  }
     3331
    32603332  my @filterargs;
    3261 
    32623333  $args{startwith} = undef if $args{startwith} && $args{startwith} !~ /^(?:[a-z]|0-9)$/;
    32633334  push @filterargs, "^$args{startwith}" if $args{startwith};
    32643335  push @filterargs, $args{filter} if $args{filter};
    3265 
    32663336
    32673337  my $sql = "SELECT count(*) FROM locations ".
     
    32823352  my %args = @_;
    32833353
     3354  # Fail on bad curgroup argument.  There's no sane fallback on this one.
     3355  if (!$args{curgroup} || $args{curgroup} !~ /^\d+$/) {
     3356    $errstr = "Bad or missing curgroup argument";
     3357    return;
     3358  }
     3359  # Fail on bad childlist argument.  This could be sanely ignored if bad, maybe.
     3360  if ($args{childlist} && $args{childlist} !~ /^[\d,]+$/) {
     3361    $errstr = "Bad childlist argument";
     3362    return;
     3363  }
     3364
    32843365  my @filterargs;
    3285 
    32863366  $args{startwith} = undef if $args{startwith} && $args{startwith} !~ /^(?:[a-z]|0-9)$/;
    32873367  push @filterargs, "^$args{startwith}" if $args{startwith};
Note: See TracChangeset for help on using the changeset viewer.