Mercurial > dovecot > core-2.2

changeset 4295:4fc637010202 HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Escape SQL strings using sql_escape_string(). Fixes the problems with PostgreSQL.
author Timo Sirainen <tss@iki.fi>
date Wed, 31 May 2006 14:03:53 +0300
parents 1a98cb709395
children e4650b4f4e5a
files src/auth/auth-cache.c src/auth/auth-request.c src/auth/auth-request.h src/auth/db-ldap.c src/auth/db-ldap.h src/auth/db-passwd-file.c src/auth/db-sql.c src/auth/passdb-sql.c src/auth/userdb-sql.c
diffstat 9 files changed, 63 insertions(+), 17 deletions(-) [+]
line wrap: on
line diff
--- a/src/auth/auth-cache.c	Wed May 31 14:02:50 2006 +0300
+++ b/src/auth/auth-cache.c	Wed May 31 14:03:53 2006 +0300
@@ -164,7 +164,8 @@
 
 	str = t_str_new(256);
 	var_expand(str, key,
-		   auth_request_get_var_expand_table(request, str_escape));
+		   auth_request_get_var_expand_table(request,
+						     auth_request_str_escape));
 
 	node = hash_lookup(cache->hash, str_c(str));
 	if (node == NULL) {
@@ -197,7 +198,8 @@
 
 	str = t_str_new(256);
 	var_expand(str, key,
-		   auth_request_get_var_expand_table(request, str_escape));
+		   auth_request_get_var_expand_table(request,
+						     auth_request_str_escape));
 
 	data_size = str_len(str) + 1 + value_len + 1;
 	alloc_size = sizeof(struct cache_node) - sizeof(node->data) + data_size;
--- a/src/auth/auth-request.c	Wed May 31 14:02:50 2006 +0300
+++ b/src/auth/auth-request.c	Wed May 31 14:03:53 2006 +0300
@@ -570,7 +570,8 @@
 
 		t_push();
 		dest = t_str_new(256);
-		table = auth_request_get_var_expand_table(request, str_escape);
+		table = auth_request_get_var_expand_table(request,
+						auth_request_str_escape);
 		var_expand(dest, request->auth->username_format, table);
 		user = p_strdup(request->pool, str_c(dest));
 		t_pop();
@@ -843,14 +844,23 @@
 	return ret;
 }
 
-static const char *escape_none(const char *str)
+static const char *
+escape_none(const char *string,
+	    const struct auth_request *request __attr_unused__)
 {
-	return str;
+	return string;
+}
+
+const char *
+auth_request_str_escape(const char *string,
+			const struct auth_request *request __attr_unused__)
+{
+	return str_escape(string);
 }
 
 const struct var_expand_table *
 auth_request_get_var_expand_table(const struct auth_request *auth_request,
-				  const char *(*escape_func)(const char *))
+				  auth_request_escape_func_t *escape_func)
 {
 	static struct var_expand_table static_tab[] = {
 		{ 'u', NULL },
@@ -872,11 +882,12 @@
 	tab = t_malloc(sizeof(static_tab));
 	memcpy(tab, static_tab, sizeof(static_tab));
 
-	tab[0].value = escape_func(auth_request->user);
-	tab[1].value = escape_func(t_strcut(auth_request->user, '@'));
+	tab[0].value = escape_func(auth_request->user, auth_request);
+	tab[1].value = escape_func(t_strcut(auth_request->user, '@'),
+				   auth_request);
 	tab[2].value = strchr(auth_request->user, '@');
 	if (tab[2].value != NULL)
-		tab[2].value = escape_func(tab[2].value+1);
+		tab[2].value = escape_func(tab[2].value+1, auth_request);
 	tab[3].value = auth_request->service;
 	/* tab[4] = we have no home dir */
 	if (auth_request->local_ip.family != 0)
@@ -884,8 +895,10 @@
 	if (auth_request->remote_ip.family != 0)
 		tab[6].value = net_ip2addr(&auth_request->remote_ip);
 	tab[7].value = dec2str(auth_request->client_pid);
-	if (auth_request->mech_password != NULL)
-		tab[8].value = escape_func(auth_request->mech_password);
+	if (auth_request->mech_password != NULL) {
+		tab[8].value = escape_func(auth_request->mech_password,
+					   auth_request);
+	}
 	return tab;
 }
 
--- a/src/auth/auth-request.h	Wed May 31 14:02:50 2006 +0300
+++ b/src/auth/auth-request.h	Wed May 31 14:03:53 2006 +0300
@@ -16,6 +16,10 @@
 	AUTH_REQUEST_STATE_USERDB
 };
 
+typedef const char *
+auth_request_escape_func_t(const char *string,
+			   const struct auth_request *auth_request);
+
 struct auth_request {
 	int refcount;
 
@@ -126,7 +130,9 @@
 
 const struct var_expand_table *
 auth_request_get_var_expand_table(const struct auth_request *auth_request,
-				  const char *(*escape_func)(const char *));
+				  auth_request_escape_func_t *escape_func);
+const char *auth_request_str_escape(const char *string,
+				    const struct auth_request *request);
 
 void auth_request_log_debug(struct auth_request *auth_request,
 			    const char *subsystem,
--- a/src/auth/db-ldap.c	Wed May 31 14:02:50 2006 +0300
+++ b/src/auth/db-ldap.c	Wed May 31 14:03:53 2006 +0300
@@ -351,7 +351,8 @@
 #define IS_LDAP_ESCAPED_CHAR(c) \
 	((c) == '*' || (c) == '(' || (c) == ')' || (c) == '\\')
 
-const char *ldap_escape(const char *str)
+const char *ldap_escape(const char *str,
+			const struct auth_request *auth_request __attr_unused__)
 {
 	const char *p;
 	string_t *ret;
--- a/src/auth/db-ldap.h	Wed May 31 14:02:50 2006 +0300
+++ b/src/auth/db-ldap.h	Wed May 31 14:03:53 2006 +0300
@@ -3,6 +3,7 @@
 
 #include <ldap.h>
 
+struct auth_request;
 struct ldap_connection;
 struct ldap_request;
 
@@ -77,7 +78,8 @@
 
 bool db_ldap_connect(struct ldap_connection *conn);
 
-const char *ldap_escape(const char *str);
+const char *ldap_escape(const char *str,
+			const struct auth_request *auth_request);
 const char *ldap_get_error(struct ldap_connection *conn);
 
 #endif
--- a/src/auth/db-passwd-file.c	Wed May 31 14:02:50 2006 +0300
+++ b/src/auth/db-passwd-file.c	Wed May 31 14:03:53 2006 +0300
@@ -367,7 +367,9 @@
 	i_free(db);
 }
 
-static const char *path_fix(const char *path)
+static const char *
+path_fix(const char *path,
+	 const struct auth_request *auth_request __attr_unused__)
 {
 	const char *p;
 
--- a/src/auth/db-sql.c	Wed May 31 14:02:50 2006 +0300
+++ b/src/auth/db-sql.c	Wed May 31 14:03:53 2006 +0300
@@ -5,6 +5,7 @@
 #if defined(PASSDB_SQL) || defined(USERDB_SQL)
 
 #include "settings.h"
+#include "auth-request.h"
 #include "db-sql.h"
 
 #include <stddef.h>
--- a/src/auth/passdb-sql.c	Wed May 31 14:02:50 2006 +0300
+++ b/src/auth/passdb-sql.c	Wed May 31 14:03:53 2006 +0300
@@ -121,6 +121,15 @@
 	auth_request_unref(&auth_request);
 }
 
+static const char *
+passdb_sql_escape(const char *str, const struct auth_request *auth_request)
+{
+	struct passdb_module *_module = auth_request->passdb->passdb;
+	struct sql_passdb_module *module = (struct sql_passdb_module *)_module;
+
+	return sql_escape_string(module->conn->db, str);
+}
+
 static void sql_lookup_pass(struct passdb_sql_request *sql_request)
 {
 	struct passdb_module *_module =
@@ -131,7 +140,7 @@
 	query = t_str_new(512);
 	var_expand(query, module->conn->set.password_query,
 		   auth_request_get_var_expand_table(sql_request->auth_request,
-						     str_escape));
+						     passdb_sql_escape));
 
 	auth_request_log_debug(sql_request->auth_request, "sql",
 			       "query: %s", str_c(query));
--- a/src/auth/userdb-sql.c	Wed May 31 14:02:50 2006 +0300
+++ b/src/auth/userdb-sql.c	Wed May 31 14:03:53 2006 +0300
@@ -100,6 +100,16 @@
 	i_free(sql_request);
 }
 
+static const char *
+userdb_sql_escape(const char *str, const struct auth_request *auth_request)
+{
+	struct userdb_module *_module = auth_request->userdb->userdb;
+	struct sql_userdb_module *module =
+		(struct sql_userdb_module *)_module;
+
+	return sql_escape_string(module->conn->db, str);
+}
+
 static void userdb_sql_lookup(struct auth_request *auth_request,
 			      userdb_callback_t *callback)
 {
@@ -112,7 +122,7 @@
 	query = t_str_new(512);
 	var_expand(query, module->conn->set.user_query,
 		   auth_request_get_var_expand_table(auth_request,
-						     str_escape));
+						     userdb_sql_escape));
 
 	auth_request_ref(auth_request);
 	sql_request = i_new(struct userdb_sql_request, 1);