diff options
| author | Ted Trask <ttrask01@yahoo.com> | 2013-06-18 19:52:44 +0000 |
|---|---|---|
| committer | Ted Trask <ttrask01@yahoo.com> | 2013-06-18 19:52:44 +0000 |
| commit | 3588bf94c95d6275fa76ae01b04050c7674d49bb (patch) | |
| tree | f32cc1af0417a4fa4d98be538e775885038131b4 | |
| parent | 7e108028ef8a40295bb7535d29779d5f80e11bec (diff) | |
| download | acf-kamailio-3588bf94c95d6275fa76ae01b04050c7674d49bb.tar.bz2 acf-kamailio-3588bf94c95d6275fa76ae01b04050c7674d49bb.tar.xz | |
Fix SQL injection bug using kamctl
| -rw-r--r-- | kamailio-model.lua | 62 |
1 files changed, 46 insertions, 16 deletions
diff --git a/kamailio-model.lua b/kamailio-model.lua index 1ba7956..9289e3d 100644 --- a/kamailio-model.lua +++ b/kamailio-model.lua @@ -186,23 +186,32 @@ function list_files() end local function parse_db_show(table) - local f = modelfunctions.run_executable({"kamctl", "db", "show", table}) -- These settings work for Postgres and DBTEXT database local delimiter = "\'?%s*[,|]%s*\'?" local results = {} local errtxt - for line in string.gmatch(f, "[^\n]+") do - if #results == 0 and string.match(line, "^ERROR:") then - errtxt = line - results = nil - break - end - if string.match(line, "^[+-]+$") then - results = {} - else - local words = format.string_to_table(line, delimiter) - if words and #words > 0 then - results[#results+1] = words + local f + local res, err = pcall(function() + local connected = databaseconnect() + f = modelfunctions.run_executable({"kamctl", "db", "show", escape(table)}) + if connected then databasedisconnect() end + end) + if not res and err then + errtxt = err + else + for line in string.gmatch(f, "[^\n]+") do + if #results == 0 and string.match(line, "^ERROR:") then + errtxt = line + results = nil + break + end + if string.match(line, "^[+-]+$") then + results = {} + else + local words = format.string_to_table(line, delimiter) + if words and #words > 0 then + results[#results+1] = words + end end end end @@ -240,7 +249,14 @@ end function create_new_user(self, user) local success = validate_user(user) if success then - user.descr, user.errtxt = modelfunctions.run_executable({"kamctl", "add", user.value.username.value, user.value.password.value}) + local res, err = pcall(function() + local connected = databaseconnect() + user.descr, user.errtxt = modelfunctions.run_executable({"kamctl", "add", escape(user.value.username.value), escape(user.value.password.value)}) + if connected then databasedisconnect() end + end) + if not res and err then + user.errtxt = err + end else user.errtxt = "Failed to create new user" end @@ -259,7 +275,14 @@ function delete_user(self, user) user.value.username.errtxt = "Invalid username" user.errtxt = "Failed to delete user" else - user.descr, user.errtxt = modelfunctions.run_executable({"kamctl", "rm", user.value.username.value}) + local res, err = pcall(function() + local connected = databaseconnect() + user.descr, user.errtxt = modelfunctions.run_executable({"kamctl", "rm", escape(user.value.username.value)}) + if connected then databasedisconnect() end + end) + if not res and err then + user.errtxt = err + end end return user end @@ -282,7 +305,14 @@ end function update_user(self, user) local success = validate_user(user) if success then - user.descr, user.errtxt = modelfunctions.run_executable({"kamctl", "passwd", user.value.username.value, user.value.password.value}) + local res, err = pcall(function() + local connected = databaseconnect() + user.descr, user.errtxt = modelfunctions.run_executable({"kamctl", "passwd", escape(user.value.username.value), escape(user.value.password.value)}) + if connected then databasedisconnect() end + end) + if not res and err then + user.errtxt = err + end else user.errtxt = "Failed to update user" end |