diff options
| author | Ted Trask <ttrask01@yahoo.com> | 2013-06-18 19:52:44 +0000 |
|---|---|---|
| committer | Ted Trask <ttrask01@yahoo.com> | 2013-06-18 21:38:32 +0000 |
| commit | 1e3c0e10a5b4525fd0575b7b349a03b69ec30350 (patch) | |
| tree | 7e8145877c25d00fe49369ffcae4decbb54ac818 | |
| parent | b250f8a0baa0aa3d86acf915045396810bbfe57c (diff) | |
| download | acf-kamailio-1e3c0e10a5b4525fd0575b7b349a03b69ec30350.tar.bz2 acf-kamailio-1e3c0e10a5b4525fd0575b7b349a03b69ec30350.tar.xz | |
Fix SQL injection bug using kamctl
(cherry picked from commit 3588bf94c95d6275fa76ae01b04050c7674d49bb)
Conflicts:
kamailio-model.lua
| -rw-r--r-- | kamailio-model.lua | 96 |
1 files changed, 63 insertions, 33 deletions
diff --git a/kamailio-model.lua b/kamailio-model.lua index 232d1da..4158963 100644 --- a/kamailio-model.lua +++ b/kamailio-model.lua @@ -191,28 +191,35 @@ function list_files() end local function parse_db_show(table) - local cmd = path .. "kamctl db show "..(table or "") - local f = io.popen(cmd) - -- These settings work for Postgres and DBTEXT database - local delimiter = "\'?%s*[,|]%s*\'?" local results = {} local errtxt - for line in f:lines() do - if #results == 0 and string.match(line, "^ERROR:") then - errtxt = line - results = nil - break - end - if string.match(line, "^[+-]+$") then - results = {} - else - local words = format.string_to_table(line, delimiter) - if words and #words > 0 then - results[#results+1] = words + local res, err = pcall(function() + local connected = databaseconnect() + local cmd = path .. "kamctl db show "..format.escapespecialcharacters(escape(table)) + local f = io.popen(cmd) + -- These settings work for Postgres and DBTEXT database + local delimiter = "\'?%s*[,|]%s*\'?" + for line in f:lines() do + if #results == 0 and string.match(line, "^ERROR:") then + errtxt = line + results = nil + break + end + if string.match(line, "^[+-]+$") then + results = {} + else + local words = format.string_to_table(line, delimiter) + if words and #words > 0 then + results[#results+1] = words + end end end + f:close() + if connected then databasedisconnect() end + end) + if not res and err then + errtxt = err end - f:close() return results, errtxt end @@ -247,13 +254,20 @@ end function create_new_user(user) local success = validate_user(user) if success then - local cmd = path .. "kamctl add "..format.escapespecialcharacters(user.value.username.value).." "..format.escapespecialcharacters(user.value.password.value) - --if user.value.email_address.value ~= "" then - -- cmd = cmd.." "..format.escapespecialcharacters(user.value.email_address.value) - --end - local f = io.popen(cmd) - user.descr = f:read("*a") - f:close() + local res, err = pcall(function() + local connected = databaseconnect() + local cmd = path .. "kamctl add "..format.escapespecialcharacters(escape(user.value.username.value)).." "..format.escapespecialcharacters(escape(user.value.password.value)) + --if user.value.email_address.value ~= "" then + -- cmd = cmd.." "..format.escapespecialcharacters(user.value.email_address.value) + --end + local f = io.popen(cmd) + user.descr = f:read("*a") + f:close() + if connected then databasedisconnect() end + end) + if not res and err then + user.errtxt = err + end else user.errtxt = "Failed to create new user" end @@ -262,11 +276,20 @@ function create_new_user(user) end function delete_user(username) - local cmd = path .. "kamctl rm "..format.escapespecialcharacters(username) - local f = io.popen(cmd) - local result = f:read("*a") - f:close() - return cfe({value=result, label="Delete User Result"}) + local errtxt + local result + local res, err = pcall(function() + local connected = databaseconnect() + local cmd = path .. "kamctl rm "..format.escapespecialcharacters(escape(username)) + local f = io.popen(cmd) + result = f:read("*a") + f:close() + if connected then databasedisconnect() end + end) + if not res and err then + errtxt = err + end + return cfe({value=result, label="Delete User Result", errtxt=errtxt}) end function get_user(username) @@ -286,10 +309,17 @@ end function update_user(user) local success = validate_user(user) if success then - local cmd = path .. "kamctl passwd "..format.escapespecialcharacters(user.value.username.value).." "..format.escapespecialcharacters(user.value.password.value) - local f = io.popen(cmd) - user.descr = f:read("*a") - f:close() + local res, err = pcall(function() + local connected = databaseconnect() + local cmd = path .. "kamctl passwd "..format.escapespecialcharacters(escape(user.value.username.value)).." "..format.escapespecialcharacters(escape(user.value.password.value)) + local f = io.popen(cmd) + user.descr = f:read("*a") + f:close() + if connected then databasedisconnect() end + end) + if not res and err then + user.errtxt = err + end else user.errtxt = "Failed to update user" end |