[CVS] OpenPKG: openpkg-registry/ registry-ui.pl

Thu, 13 Jul 2006 00:39:07 -0700 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /v/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-registry                 Date:   13-Jul-2006 09:39:16
  Branch: HEAD                             Handle: 2006071308391500

  Modified files:
    openpkg-registry        registry-ui.pl

  Log:
    do some quoting/escaping of username where the field is taken verbatim
    from untrusted external source

  Summary:
    Revision    Changes     Path
    1.74        +4  -4      openpkg-registry/registry-ui.pl
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-registry/registry-ui.pl
  ============================================================================
  $ cvs diff -u -r1.73 -r1.74 registry-ui.pl
  --- openpkg-registry/registry-ui.pl   13 Jul 2006 07:34:43 -0000      1.73
  +++ openpkg-registry/registry-ui.pl   13 Jul 2006 07:39:15 -0000      1.74
  @@ -1084,14 +1084,14 @@
           #   updating heartbeat or creating username
           #
           $dbh->{AutoCommit} = 1;
  -        $sql = sprintf("UPDATE reg_user SET heartbeat = now() WHERE ( 
username = '%s' );", $username);
  +        $sql = sprintf("UPDATE reg_user SET heartbeat = now() WHERE ( 
username = %s );", $dbh->quote($username));
           $rv = $dbh->do($sql);
           if (not defined $rv) {
               &viewprettyerror("updating user $username", prettydbi());
               goto CUS;
           }
           elsif ($rv != 1) {
  -            $sql = sprintf("INSERT INTO reg_user (username) VALUES ('%s');", 
$username);
  +            $sql = sprintf("INSERT INTO reg_user (username) VALUES (%s);", 
$dbh->quote($username));
               $rv = $dbh->do($sql);
               if (not defined $rv) {
                   &viewprettyerror("inserting user $username", prettydbi());
  @@ -1610,7 +1610,7 @@
   
           #   check for known username by updating heartbeat and look for 
database errors
           #
  -        $sql = sprintf("UPDATE reg_user SET heartbeat = now() WHERE ( 
username = '%s' );", $username);
  +        $sql = sprintf("UPDATE reg_user SET heartbeat = now() WHERE ( 
username = %s );", $dbh->quote($username));
           $rv = $dbh->do($sql);
           if (not defined $rv) {
               $msg = $dbh->errstr;
  @@ -1620,7 +1620,7 @@
               next;
           }
           elsif ($rv < 1) {
  -            $res->{$k} = sprintf("ERROR username \"%s\" not found", 
$username);
  +            $res->{$k} = sprintf("ERROR username \"%s\" not found", 
CGI::escapeHTML($username));
               $commit = 0;
               next;
           }
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     openpkg-cvs@openpkg.org

Reply via email to