tyler.durden/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2025-07-26 23:34:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Quote database names, usernames and passwords when setting up the db

Browse Source 
refs #7163
This commit is contained in:
Johannes Meyer 2014-10-09 16:02:18 +02:00
parent 78b130a4f3
commit ca6eca6b67
2 changed files with 52 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
library/Icinga/Application/WebInstaller.php
View File

@ -237,8 +237,6 @@ class WebInstaller implements Installer
* Setup a MySQL database * Setup a MySQL database
* *
* @param DbTool $db The database connection wrapper to use * @param DbTool $db The database connection wrapper to use
*
* @todo Escape user input or make use of prepared statements!
*/ */
private function setupMysqlDatabase(DbTool $db) private function setupMysqlDatabase(DbTool $db)
{ {
@ -254,7 +252,7 @@ class WebInstaller implements Installer
t('Creating new database "%s"...'), t('Creating new database "%s"...'),
$this->pageData['setup_db_resource']['dbname'] $this->pageData['setup_db_resource']['dbname']
)); ));
$db->exec('CREATE DATABASE ' . $this->pageData['setup_db_resource']['dbname']); $db->exec('CREATE DATABASE ' . $db->quoteIdentifier($this->pageData['setup_db_resource']['dbname']));
$db->reconnect($this->pageData['setup_db_resource']['dbname']); $db->reconnect($this->pageData['setup_db_resource']['dbname']);
} }
@ -288,10 +286,11 @@ class WebInstaller implements Installer
$this->pageData['setup_db_resource']['username'] $this->pageData['setup_db_resource']['username']
)); ));
$db->exec(sprintf( $db->exec(sprintf(
"GRANT %s ON %s.* TO %s", "GRANT %s ON %s.* TO %s@%s",
join(',', $privileges), join(',', $privileges),
$this->pageData['setup_db_resource']['dbname'], $db->quoteIdentifier($this->pageData['setup_db_resource']['dbname']),
$this->pageData['setup_db_resource']['username'] . '@' . Platform::getFqdn() $db->quoteIdentifier($this->pageData['setup_db_resource']['username']),
$db->quoteIdentifier(Platform::getFqdn())
)); ));
} }
} }
@ -300,8 +299,6 @@ class WebInstaller implements Installer
* Setup a PostgreSQL database * Setup a PostgreSQL database
* *
* @param DbTool $db The database connection wrapper to use * @param DbTool $db The database connection wrapper to use
*
* @todo Escape user input or make use of prepared statements!
*/ */
private function setupPgsqlDatabase(DbTool $db) private function setupPgsqlDatabase(DbTool $db)
{ {
@ -317,7 +314,7 @@ class WebInstaller implements Installer
t('Creating new database "%s"...'), t('Creating new database "%s"...'),
$this->pageData['setup_db_resource']['dbname'] $this->pageData['setup_db_resource']['dbname']
)); ));
$db->exec('CREATE DATABASE ' . $this->pageData['setup_db_resource']['dbname']); $db->exec('CREATE DATABASE ' . $db->quoteIdentifier($this->pageData['setup_db_resource']['dbname']));
$db->reconnect($this->pageData['setup_db_resource']['dbname']); $db->reconnect($this->pageData['setup_db_resource']['dbname']);
} }
@ -353,12 +350,12 @@ class WebInstaller implements Installer
$db->exec(sprintf( $db->exec(sprintf(
"GRANT %s ON TABLE account TO %s", "GRANT %s ON TABLE account TO %s",
join(',', $privileges), join(',', $privileges),
$this->pageData['setup_db_resource']['username'] $db->quoteIdentifier($this->pageData['setup_db_resource']['username'])
)); ));
$db->exec(sprintf( $db->exec(sprintf(
"GRANT %s ON TABLE preference TO %s", "GRANT %s ON TABLE preference TO %s",
join(',', $privileges), join(',', $privileges),
$this->pageData['setup_db_resource']['username'] $db->quoteIdentifier($this->pageData['setup_db_resource']['username'])
)); ));
} }
} }

45
library/Icinga/Web/Setup/DbTool.php
View File

@ -242,6 +242,45 @@ class DbTool
} }
} }
/**
* Return the given identifier escaped with backticks
*
* @param string $identifier The identifier to escape
*
* @return string
*
* @throws LogicException In case there is no behaviour implemented for the current PDO driver
*/
public function quoteIdentifier($identifier)
{
if ($this->config['db'] === 'mysql') {
return '`' . str_replace('`', '``', $identifier) . '`';
} elseif ($this->config['db'] === 'pgsql') {
return '"' . str_replace('"', '""', $identifier) . '"';
} else {
throw new LogicException('Unable to quote identifier.');
}
}
/**
* Return the given value escaped as string
*
* @param mixed $value The value to escape
*
* @return string
*
* @throws LogicException In case there is no behaviour implemented for the current PDO driver
*/
public function quote($value)
{
$value = $this->pdoConn->quote($value);
if ($value === false) {
throw new LogicException('Unable to quote value');
}
return $value;
}
/** /**
* Execute a SQL statement and return the affected row count * Execute a SQL statement and return the affected row count
* *
@ -366,7 +405,11 @@ class DbTool
array(':user' => $username, ':host' => Platform::getFqdn(), ':passw' => $password) array(':user' => $username, ':host' => Platform::getFqdn(), ':passw' => $password)
); );
} elseif ($this->config['db'] === 'pgsql') { } elseif ($this->config['db'] === 'pgsql') {
$this->exec("CREATE USER $username WITH PASSWORD '$password'"); $this->exec(sprintf(
'CREATE USER %s WITH PASSWORD %s',
$this->quoteIdentifier($username),
$this->quote($password)
));
} }
} }
} }