2010-12-01 Ramon Novoa <rnovoa@artica.es>

* util/pandora_recode_db.pl: Redefine safe_input to avoid loading a buggy one from a 3.1 Tools.pm. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3648 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2010-12-01 19:45:16 +00:00 · 2010-12-01 19:45:16 +00:00 · e83717071e
parent 7ab7b9ad0a
commit e83717071e
2 changed files with 48 additions and 0 deletions
--- a/pandora_server/ChangeLog
+++ b/pandora_server/ChangeLog
@ -1,3 +1,8 @@
+2010-12-01  Ramon Novoa  <rnovoa@artica.es>
+
+	* util/pandora_recode_db.pl: Redefine safe_input to avoid loading
+	  a buggy one from a 3.1 Tools.pm.
+
 2010-11-29  Dario Rodriguez  <dario.rodriguez@artica.es>

 	* lib/PandoraFMS/ReconServer.pm: Fixed a problem with HTML entities executing 
--- a/pandora_server/util/pandora_recode_db.pl
+++ b/pandora_server/util/pandora_recode_db.pl
@ -150,6 +150,49 @@ sub help_screen{
 	exit;
 }

+##########################################################################
+## Convert the $value encode in html entity to clear char string.
+##########################################################################
+sub safe_input($) {
+        my $value = shift;
+
+        $value = encode_entities ($value, "'<>&");
+
+        #//Replace the character '\' for the equivalent html entitie
+        $value =~ s/\\/&#92;/gi;
+
+    #// First attempt to avoid SQL Injection based on SQL comments
+    #// Specific for MySQL.
+        $value =~ s/\/\*/&#47;&#42;/gi;
+        $value =~ s/\*\//&#42;&#47;/gi;
+
+        #//Replace ( for the html entitie
+        $value =~ s/\(/&#40;/gi;
+
+        #//Replace ( for the html entitie
+        $value =~ s/\)/&#41;/gi;
+
+        #//Replace some characteres for html entities
+        for (my $i=0;$i<33;$i++) {
+                my $pattern = chr($i);
+                my $hex = ascii_to_html($i);
+                $value =~ s/$pattern/$hex/gi;
+        }
+
+        return $value;
+}
+
+##########################################################################
+# SUB ascii_to_html (string)
+# Convert an ascii string to hexadecimal
+##########################################################################
+
+sub ascii_to_html($) {
+        my $ascii = shift;
+
+        return "&#x".substr(unpack("H*", pack("N", $ascii)),6,3).";";
+}
+
 ###############################################################################
 ###############################################################################
 # MAIN