Quote database names, usernames and passwords when setting up the db

refs #7163
2014-10-09 16:02:18 +02:00 · 2014-10-09 16:02:18 +02:00 · ca6eca6b67
parent 78b130a4f3
commit ca6eca6b67
2 changed files with 52 additions and 12 deletions
--- a/library/Icinga/Application/WebInstaller.php
+++ b/library/Icinga/Application/WebInstaller.php
@ -237,8 +237,6 @@ class WebInstaller implements Installer
     * Setup a MySQL database
     *
     * @param   DbTool      $db     The database connection wrapper to use
-     *
-     * @todo    Escape user input or make use of prepared statements!
     */
    private function setupMysqlDatabase(DbTool $db)
    {
@ -254,7 +252,7 @@ class WebInstaller implements Installer
                t('Creating new database "%s"...'),
                $this->pageData['setup_db_resource']['dbname']
            ));
-            $db->exec('CREATE DATABASE ' . $this->pageData['setup_db_resource']['dbname']);
+            $db->exec('CREATE DATABASE ' . $db->quoteIdentifier($this->pageData['setup_db_resource']['dbname']));
            $db->reconnect($this->pageData['setup_db_resource']['dbname']);
        }

@ -288,10 +286,11 @@ class WebInstaller implements Installer
                $this->pageData['setup_db_resource']['username']
            ));
            $db->exec(sprintf(
-                "GRANT %s ON %s.* TO %s",
+                "GRANT %s ON %s.* TO %s@%s",
                join(',', $privileges),
-                $this->pageData['setup_db_resource']['dbname'],
-                $this->pageData['setup_db_resource']['username'] . '@' . Platform::getFqdn()
+                $db->quoteIdentifier($this->pageData['setup_db_resource']['dbname']),
+                $db->quoteIdentifier($this->pageData['setup_db_resource']['username']),
+                $db->quoteIdentifier(Platform::getFqdn())
            ));
        }
    }
@ -300,8 +299,6 @@ class WebInstaller implements Installer
     * Setup a PostgreSQL database
     *
     * @param   DbTool      $db     The database connection wrapper to use
-     *
-     * @todo    Escape user input or make use of prepared statements!
     */
    private function setupPgsqlDatabase(DbTool $db)
    {
@ -317,7 +314,7 @@ class WebInstaller implements Installer
                t('Creating new database "%s"...'),
                $this->pageData['setup_db_resource']['dbname']
            ));
-            $db->exec('CREATE DATABASE ' . $this->pageData['setup_db_resource']['dbname']);
+            $db->exec('CREATE DATABASE ' . $db->quoteIdentifier($this->pageData['setup_db_resource']['dbname']));
            $db->reconnect($this->pageData['setup_db_resource']['dbname']);
        }

@ -353,12 +350,12 @@ class WebInstaller implements Installer
            $db->exec(sprintf(
                "GRANT %s ON TABLE account TO %s",
                join(',', $privileges),
-                $this->pageData['setup_db_resource']['username']
+                $db->quoteIdentifier($this->pageData['setup_db_resource']['username'])
            ));
            $db->exec(sprintf(
                "GRANT %s ON TABLE preference TO %s",
                join(',', $privileges),
-                $this->pageData['setup_db_resource']['username']
+                $db->quoteIdentifier($this->pageData['setup_db_resource']['username'])
            ));
        }
    }
--- a/library/Icinga/Web/Setup/DbTool.php
+++ b/library/Icinga/Web/Setup/DbTool.php
@ -242,6 +242,45 @@ class DbTool
        }
    }

+    /**
+     * Return the given identifier escaped with backticks
+     *
+     * @param   string  $identifier     The identifier to escape
+     *
+     * @return  string
+     *
+     * @throws  LogicException          In case there is no behaviour implemented for the current PDO driver
+     */
+    public function quoteIdentifier($identifier)
+    {
+        if ($this->config['db'] === 'mysql') {
+            return '`' . str_replace('`', '``', $identifier) . '`';
+        } elseif ($this->config['db'] === 'pgsql') {
+            return '"' . str_replace('"', '""', $identifier) . '"';
+        } else {
+            throw new LogicException('Unable to quote identifier.');
+        }
+    }
+
+    /**
+     * Return the given value escaped as string
+     *
+     * @param   mixed  $value       The value to escape
+     *
+     * @return  string
+     *
+     * @throws  LogicException      In case there is no behaviour implemented for the current PDO driver
+     */
+    public function quote($value)
+    {
+        $value = $this->pdoConn->quote($value);
+        if ($value === false) {
+            throw new LogicException('Unable to quote value');
+        }
+
+        return $value;
+    }
+
    /**
     * Execute a SQL statement and return the affected row count
     *
@ -366,7 +405,11 @@ class DbTool
                array(':user' => $username, ':host' => Platform::getFqdn(), ':passw' => $password)
            );
        } elseif ($this->config['db'] === 'pgsql') {
-            $this->exec("CREATE USER $username WITH PASSWORD '$password'");
+            $this->exec(sprintf(
+                'CREATE USER %s WITH PASSWORD %s',
+                $this->quoteIdentifier($username),
+                $this->quote($password)
+            ));
        }
    }
 }