Validate user names against allowed chars

This commit is contained in:
Trygve Andre Tønnesland 2012-12-11 14:24:07 +00:00
parent 3c39c277bd
commit c2c0659bc8
4 changed files with 43 additions and 21 deletions

View File

@ -250,3 +250,17 @@ char *strmov(char *dest, const char *src) {
;
return dest-1;
}
/* New database and user names may only use these characters in their
identifier */
const char name_validchars[] =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-";
/* Returns true if dbname contains only characters in name_validchars. */
int name_isclean(char* name) {
int reallen, cleanlen;
reallen = strlen(name);
cleanlen = strspn(name, name_validchars);
return (reallen == cleanlen);
}

View File

@ -36,6 +36,7 @@ read_config_file(void);
/* same as strcpy, but returns a pointer to the end of dest instead of start */
extern char *strmov(char *, const char *);
extern int name_isclean(char*);
#ifdef _mysql_h

View File

@ -19,19 +19,6 @@
#include <sys/types.h>
#include <unistd.h>
/* New database names may only use these characters in their identifier */
const char dbname_validchars[] =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-";
/* Returns true if dbname contains only characters in dbname_validchars. */
int dbname_isclean(char* dbname) {
int reallen, cleanlen;
reallen = strlen(dbname);
cleanlen = strspn(dbname, dbname_validchars);
return (reallen == cleanlen);
}
char *
strchr_whitespace(const char *s)
{
@ -665,7 +652,7 @@ main(int argc, char *argv[])
switch (command) {
case c_create:
// We only check newly created databases. Many old ("unclean") databases are still in use.
if(dbname_isclean(db)) {
if(name_isclean(db)) {
create(&mysql, db);
} else {
dberror(NULL, "Database name '%s' contains invalid characters.\n"
@ -673,7 +660,7 @@ main(int argc, char *argv[])
}
break;
case c_drop:
if(dbname_isclean(db)) {
if(name_isclean(db)) {
drop(&mysql, db);
} else {
dberror(NULL, "Database name '%s' contains invalid characters.\n"
@ -681,7 +668,7 @@ main(int argc, char *argv[])
}
break;
case c_editperm:
if(dbname_isclean(db)) {
if(name_isclean(db)) {
editperm(&mysql, db);
} else {
dberror(NULL, "Database name '%s' contains invalid characters.\n"
@ -689,7 +676,7 @@ main(int argc, char *argv[])
}
break;
case c_show:
if(dbname_isclean(db)) {
if(name_isclean(db)) {
show(&mysql, db);
} else {
dberror(NULL, "Database name '%s' contains invalid characters.\n"

View File

@ -322,16 +322,36 @@ main(int argc, char *argv[])
switch (command)
{
case c_create:
if(name_isclean(user)) {
create(&mysql, user);
} else {
dberror(NULL, "User name '%s' contains invalid characters.\n"
"Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", user);
}
break;
case c_delete:
if(name_isclean(user)) {
delete(&mysql, user);
} else {
dberror(NULL, "User name '%s' contains invalid characters.\n"
"Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", user);
}
break;
case c_passwd:
if(name_isclean(user)) {
passwd(&mysql, user);
} else {
dberror(NULL, "User name '%s' contains invalid characters.\n"
"Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", user);
}
break;
case c_show:
if(name_isclean(user)) {
show(&mysql, user);
} else {
dberror(NULL, "User name '%s' contains invalid characters.\n"
"Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", user);
}
break;
default:
fprintf(stderr, "This point should never be reached.\n");