Validate user names against allowed chars
This commit is contained in:
parent
3c39c277bd
commit
c2c0659bc8
14
common.c
14
common.c
|
@ -250,3 +250,17 @@ char *strmov(char *dest, const char *src) {
|
|||
;
|
||||
return dest-1;
|
||||
}
|
||||
|
||||
/* New database and user names may only use these characters in their
|
||||
identifier */
|
||||
const char name_validchars[] =
|
||||
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-";
|
||||
|
||||
/* Returns true if dbname contains only characters in name_validchars. */
|
||||
int name_isclean(char* name) {
|
||||
int reallen, cleanlen;
|
||||
reallen = strlen(name);
|
||||
cleanlen = strspn(name, name_validchars);
|
||||
return (reallen == cleanlen);
|
||||
}
|
||||
|
||||
|
|
|
@ -36,6 +36,7 @@ read_config_file(void);
|
|||
/* same as strcpy, but returns a pointer to the end of dest instead of start */
|
||||
extern char *strmov(char *, const char *);
|
||||
|
||||
extern int name_isclean(char*);
|
||||
|
||||
#ifdef _mysql_h
|
||||
|
||||
|
|
|
@ -19,19 +19,6 @@
|
|||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
|
||||
/* New database names may only use these characters in their identifier */
|
||||
const char dbname_validchars[] =
|
||||
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-";
|
||||
|
||||
|
||||
/* Returns true if dbname contains only characters in dbname_validchars. */
|
||||
int dbname_isclean(char* dbname) {
|
||||
int reallen, cleanlen;
|
||||
reallen = strlen(dbname);
|
||||
cleanlen = strspn(dbname, dbname_validchars);
|
||||
return (reallen == cleanlen);
|
||||
}
|
||||
|
||||
char *
|
||||
strchr_whitespace(const char *s)
|
||||
{
|
||||
|
@ -665,7 +652,7 @@ main(int argc, char *argv[])
|
|||
switch (command) {
|
||||
case c_create:
|
||||
// We only check newly created databases. Many old ("unclean") databases are still in use.
|
||||
if(dbname_isclean(db)) {
|
||||
if(name_isclean(db)) {
|
||||
create(&mysql, db);
|
||||
} else {
|
||||
dberror(NULL, "Database name '%s' contains invalid characters.\n"
|
||||
|
@ -673,7 +660,7 @@ main(int argc, char *argv[])
|
|||
}
|
||||
break;
|
||||
case c_drop:
|
||||
if(dbname_isclean(db)) {
|
||||
if(name_isclean(db)) {
|
||||
drop(&mysql, db);
|
||||
} else {
|
||||
dberror(NULL, "Database name '%s' contains invalid characters.\n"
|
||||
|
@ -681,7 +668,7 @@ main(int argc, char *argv[])
|
|||
}
|
||||
break;
|
||||
case c_editperm:
|
||||
if(dbname_isclean(db)) {
|
||||
if(name_isclean(db)) {
|
||||
editperm(&mysql, db);
|
||||
} else {
|
||||
dberror(NULL, "Database name '%s' contains invalid characters.\n"
|
||||
|
@ -689,7 +676,7 @@ main(int argc, char *argv[])
|
|||
}
|
||||
break;
|
||||
case c_show:
|
||||
if(dbname_isclean(db)) {
|
||||
if(name_isclean(db)) {
|
||||
show(&mysql, db);
|
||||
} else {
|
||||
dberror(NULL, "Database name '%s' contains invalid characters.\n"
|
||||
|
|
|
@ -322,16 +322,36 @@ main(int argc, char *argv[])
|
|||
switch (command)
|
||||
{
|
||||
case c_create:
|
||||
if(name_isclean(user)) {
|
||||
create(&mysql, user);
|
||||
} else {
|
||||
dberror(NULL, "User name '%s' contains invalid characters.\n"
|
||||
"Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", user);
|
||||
}
|
||||
break;
|
||||
case c_delete:
|
||||
if(name_isclean(user)) {
|
||||
delete(&mysql, user);
|
||||
} else {
|
||||
dberror(NULL, "User name '%s' contains invalid characters.\n"
|
||||
"Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", user);
|
||||
}
|
||||
break;
|
||||
case c_passwd:
|
||||
if(name_isclean(user)) {
|
||||
passwd(&mysql, user);
|
||||
} else {
|
||||
dberror(NULL, "User name '%s' contains invalid characters.\n"
|
||||
"Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", user);
|
||||
}
|
||||
break;
|
||||
case c_show:
|
||||
if(name_isclean(user)) {
|
||||
show(&mysql, user);
|
||||
} else {
|
||||
dberror(NULL, "User name '%s' contains invalid characters.\n"
|
||||
"Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", user);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
fprintf(stderr, "This point should never be reached.\n");
|
||||
|
|
Loading…
Reference in New Issue