From ca6eca6b6777c192d7a362f810c97a260b9a223a Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@netways.de>
Date: Thu, 9 Oct 2014 16:02:18 +0200
Subject: [PATCH] Quote database names, usernames and passwords when setting up
 the db

refs #7163
---
 library/Icinga/Application/WebInstaller.php | 19 ++++-----
 library/Icinga/Web/Setup/DbTool.php         | 45 ++++++++++++++++++++-
 2 files changed, 52 insertions(+), 12 deletions(-)

diff --git a/library/Icinga/Application/WebInstaller.php b/library/Icinga/Application/WebInstaller.php
index 14de68fd2..fa1506bee 100644
--- a/library/Icinga/Application/WebInstaller.php
+++ b/library/Icinga/Application/WebInstaller.php
@@ -237,8 +237,6 @@ class WebInstaller implements Installer
      * Setup a MySQL database
      *
      * @param   DbTool      $db     The database connection wrapper to use
-     *
-     * @todo    Escape user input or make use of prepared statements!
      */
     private function setupMysqlDatabase(DbTool $db)
     {
@@ -254,7 +252,7 @@ class WebInstaller implements Installer
                 t('Creating new database "%s"...'),
                 $this->pageData['setup_db_resource']['dbname']
             ));
-            $db->exec('CREATE DATABASE ' . $this->pageData['setup_db_resource']['dbname']);
+            $db->exec('CREATE DATABASE ' . $db->quoteIdentifier($this->pageData['setup_db_resource']['dbname']));
             $db->reconnect($this->pageData['setup_db_resource']['dbname']);
         }
 
@@ -288,10 +286,11 @@ class WebInstaller implements Installer
                 $this->pageData['setup_db_resource']['username']
             ));
             $db->exec(sprintf(
-                "GRANT %s ON %s.* TO %s",
+                "GRANT %s ON %s.* TO %s@%s",
                 join(',', $privileges),
-                $this->pageData['setup_db_resource']['dbname'],
-                $this->pageData['setup_db_resource']['username'] . '@' . Platform::getFqdn()
+                $db->quoteIdentifier($this->pageData['setup_db_resource']['dbname']),
+                $db->quoteIdentifier($this->pageData['setup_db_resource']['username']),
+                $db->quoteIdentifier(Platform::getFqdn())
             ));
         }
     }
@@ -300,8 +299,6 @@ class WebInstaller implements Installer
      * Setup a PostgreSQL database
      *
      * @param   DbTool      $db     The database connection wrapper to use
-     *
-     * @todo    Escape user input or make use of prepared statements!
      */
     private function setupPgsqlDatabase(DbTool $db)
     {
@@ -317,7 +314,7 @@ class WebInstaller implements Installer
                 t('Creating new database "%s"...'),
                 $this->pageData['setup_db_resource']['dbname']
             ));
-            $db->exec('CREATE DATABASE ' . $this->pageData['setup_db_resource']['dbname']);
+            $db->exec('CREATE DATABASE ' . $db->quoteIdentifier($this->pageData['setup_db_resource']['dbname']));
             $db->reconnect($this->pageData['setup_db_resource']['dbname']);
         }
 
@@ -353,12 +350,12 @@ class WebInstaller implements Installer
             $db->exec(sprintf(
                 "GRANT %s ON TABLE account TO %s",
                 join(',', $privileges),
-                $this->pageData['setup_db_resource']['username']
+                $db->quoteIdentifier($this->pageData['setup_db_resource']['username'])
             ));
             $db->exec(sprintf(
                 "GRANT %s ON TABLE preference TO %s",
                 join(',', $privileges),
-                $this->pageData['setup_db_resource']['username']
+                $db->quoteIdentifier($this->pageData['setup_db_resource']['username'])
             ));
         }
     }
diff --git a/library/Icinga/Web/Setup/DbTool.php b/library/Icinga/Web/Setup/DbTool.php
index a8be3e0c1..97975f2e4 100644
--- a/library/Icinga/Web/Setup/DbTool.php
+++ b/library/Icinga/Web/Setup/DbTool.php
@@ -242,6 +242,45 @@ class DbTool
         }
     }
 
+    /**
+     * Return the given identifier escaped with backticks
+     *
+     * @param   string  $identifier     The identifier to escape
+     *
+     * @return  string
+     *
+     * @throws  LogicException          In case there is no behaviour implemented for the current PDO driver
+     */
+    public function quoteIdentifier($identifier)
+    {
+        if ($this->config['db'] === 'mysql') {
+            return '`' . str_replace('`', '``', $identifier) . '`';
+        } elseif ($this->config['db'] === 'pgsql') {
+            return '"' . str_replace('"', '""', $identifier) . '"';
+        } else {
+            throw new LogicException('Unable to quote identifier.');
+        }
+    }
+
+    /**
+     * Return the given value escaped as string
+     *
+     * @param   mixed  $value       The value to escape
+     *
+     * @return  string
+     *
+     * @throws  LogicException      In case there is no behaviour implemented for the current PDO driver
+     */
+    public function quote($value)
+    {
+        $value = $this->pdoConn->quote($value);
+        if ($value === false) {
+            throw new LogicException('Unable to quote value');
+        }
+
+        return $value;
+    }
+
     /**
      * Execute a SQL statement and return the affected row count
      *
@@ -366,7 +405,11 @@ class DbTool
                 array(':user' => $username, ':host' => Platform::getFqdn(), ':passw' => $password)
             );
         } elseif ($this->config['db'] === 'pgsql') {
-            $this->exec("CREATE USER $username WITH PASSWORD '$password'");
+            $this->exec(sprintf(
+                'CREATE USER %s WITH PASSWORD %s',
+                $this->quoteIdentifier($username),
+                $this->quote($password)
+            ));
         }
     }
 }