2010-10-11 Sancho Lerena <slerena@artica.es>

* include/functions_reporting.php: Fixed problem with SQL custom reports because the SQL html encoding. Added a SQL check for secure user-input SQL code. * include/functions.php: Added check_sql() function to do a basic safety check on SQL code. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3381 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2010-10-11 10:14:03 +00:00 · 2010-10-11 10:14:03 +00:00 · ce2b24da8f
parent 4712cb4c35
commit ce2b24da8f
3 changed files with 33 additions and 3 deletions
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@ -1,3 +1,12 @@
+2010-10-11 Sancho Lerena <slerena@artica.es>
+
+        * include/functions_reporting.php: Fixed problem with SQL custom reports
+        because the SQL html encoding. Added a SQL check for secure user-input
+        SQL code.
+
+        * include/functions.php: Added check_sql() function to do a basic
+        safety check on SQL code.
+
 2010-10-11 Dario Rodriguez <dario.rodriguez@artica.es>

 	* include/functions_io.php: Added \s character in decode HTML entities
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@ -1152,4 +1152,22 @@ function string2image($string, $width, $height, $fontsize = 3,
 	$file_url = str_replace('#','%23',$file_url);
 	return $file_url;
 }
+
+/**
+* Function to restrict SQL on custom-user-defined queries 
+*
+* @param string SQL code
+* @return string SQL code validated (it will return empty if SQL is not ok)
+**/
+
+function check_sql ($sql){
+
+        // We remove "*" to avoid things like SELECT * FROM tusuario
+
+        if (preg_match("/\*|DELETE|DROP|ALTER|MODIFY|UNION|password|pass|INSERT|UPDATE/", $sql)){
+                return "";
+        }
+        return $sql;
+}
+
 ?>
--- a/pandora_console/include/functions_reporting.php
+++ b/pandora_console/include/functions_reporting.php
@ -1968,12 +1968,15 @@ function render_report_html_item ($content, $table, $report, $mini = false) {
 			}
 			
 			if ($content['treport_custom_sql_id'] != 0) {
-				$sql = get_db_value_filter('`sql`', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id']));
+				$sql = safe_output (get_db_value_filter('`sql`', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
 			}
 			else {
-				$sql = $content['external_source'];
+				$sql = safe_output ($content['external_source']);
 			}
-			
+
+            // Do a security check on SQL coming from the user
+            $sql = check_sql ($sql);
+
 			$result = get_db_all_rows_sql($sql);
 			if ($result === false) {
 				$result = array();