From a6a71eb04b35cfc6a53a939faf597b7f4049682d Mon Sep 17 00:00:00 2001 From: Benjamin Sonntag Date: Mon, 30 Nov 2009 23:48:48 +0000 Subject: [PATCH] Fixed #1174 : we check the length of mysql login everywhere. + english comments and misc code cleanup (hook functions at the end of the class) --- bureau/class/m_mysql.php | 243 +++++++++++++++++++++------------------ 1 file changed, 134 insertions(+), 109 deletions(-) diff --git a/bureau/class/m_mysql.php b/bureau/class/m_mysql.php index bb5f53ba..9eb40b3b 100644 --- a/bureau/class/m_mysql.php +++ b/bureau/class/m_mysql.php @@ -38,6 +38,7 @@ class m_mysql { var $server; var $client; + /*---------------------------------------------------------------------------*/ /** Constructor * m_mysql([$mid]) Constructeur de la classe m_mysql, initialise le membre concerne @@ -47,6 +48,7 @@ class m_mysql { $this->client = $GLOBALS['L_MYSQL_CLIENT']; } + /* ----------------------------------------------------------------- */ /** Hook called by m_quota to obtain the quota managed by this class. * Quota name @@ -56,7 +58,6 @@ class m_mysql { } - /* ----------------------------------------------------------------- */ /** * Password kind used in this class (hook for admin class) @@ -66,7 +67,6 @@ class m_mysql { } - /*---------------------------------------------------------------------------*/ /** Get the list of the database for the current user. * @return array returns an associative array as follow :
@@ -90,6 +90,7 @@ class m_mysql { return $c; } + /*---------------------------------------------------------------------------*/ /** Returns the details of a user's database. * $dbn is the name of the database (after the _) or nothing for the database "$user" @@ -120,6 +121,7 @@ class m_mysql { return array("enabled"=>true,"login"=>$db->f("login"),"db"=>$db->f("db"), "name"=>$dbn,"bck"=>$db->f("bck_mode"), "dir"=>substr($db->f("bck_dir"),strlen($root)), "size"=>$size, "pass"=>$db->f("pass"), "history"=>$db->f("bck_history"), "gzip"=>$db->f("bck_gzip")); } + /*---------------------------------------------------------------------------*/ /** Create a new database for the current user. * @param $dbn string Database name ($user_$dbn is the mysql db name) @@ -170,6 +172,7 @@ class m_mysql { } } + /*---------------------------------------------------------------------------*/ /** Delete a database for the current user. * @param $dbn string Name of the database to delete. The db name is $user_$dbn @@ -202,6 +205,7 @@ class m_mysql { return true; } + /*---------------------------------------------------------------------------*/ /** Set the backup parameters for the database $db * @param $db string database name @@ -245,6 +249,7 @@ class m_mysql { return true; } + /*---------------------------------------------------------------------------*/ /** Change the password of the user in MySQL * @param $password string new password (cleartext) @@ -279,6 +284,7 @@ class m_mysql { return true; } + /* ----------------------------------------------------------------- */ /** Create a new mysql account for this user * @param string cleartext password for the new account @@ -299,6 +305,12 @@ class m_mysql { $login=$mem->user["login"]; $dbname=$mem->user["login"]; + // Username cannot be longer than 16 characters + if (strlen($login)>16) { + $err->raise("mysql",15); + return false; + } + // Check this password against the password policy using common API : if (is_callable(array($admin,"checkPolicy"))) { if (!$admin->checkPolicy("mysql",$login,$password)) { @@ -316,7 +328,11 @@ class m_mysql { /* ----------------------------------------------------------------- */ - /** Restore a sql backup script on a user's database. + /** Restore a sql database. + * @param $file string The filename, relative to the user root dir, which contains a sql dump + * @param $stdout boolean shall-we dump the error to stdout ? + * @param $id integer The ID of the database to dump to. + * @return boolean TRUE if the database has been restored, or FALSE if an error occurred */ function restore($file,$stdout,$id) { global $err,$bro,$mem,$L_MYSQL_HOST; @@ -349,113 +365,31 @@ class m_mysql { return true ; } } + /* ----------------------------------------------------------------- */ - /** Get size of a database + /** Get the size of a database * @param $dbname name of the database * @return integer database size * @access private */ - function get_db_size($dbname) { - global $db,$err; - - $db->query("SHOW TABLE STATUS FROM `$dbname`;"); - $size = 0; - while ($db->next_record()) { - $size += $db->f('Data_length') + $db->f('Index_length') - + $db->f('Data_free'); - } - return $size; - } + function get_db_size($dbname) { + global $db,$err; + + $db->query("SHOW TABLE STATUS FROM `$dbname`;"); + $size = 0; + while ($db->next_record()) { + $size += $db->f('Data_length') + $db->f('Index_length') + + $db->f('Data_free'); + } + return $size; + } - /* ----------------------------------------------------------------- */ - /** Hook function called by the quota class to compute user used quota - * Returns the used quota for the $name service for the current user. - * @param $name string name of the quota - * @return integer the number of service used or false if an error occured - * @access private - */ - function alternc_get_quota($name) { - global $err,$db,$cuid; - if ($name=="mysql") { - $err->log("mysql","alternc_get_quota"); - $c=$this->get_dblist(); - if (is_array($c)) { - return count($c); - } else { - return 0; - } - } elseif ($name=="mysql_users") { - $err->log("mysql","alternc_get_quota"); - $c=$this->get_userslist(); - if(is_array($c)) - return count($c); - else - return 0; - } else return false; - } - - - /* ----------------------------------------------------------------- */ - /** Hook function called when a user is deleted. - * AlternC's standard function that delete a member - */ - function alternc_del_member() { - global $db,$err,$cuid; - $err->log("mysql","alternc_del_member"); - $c=$this->get_dblist(); - if (is_array($c)) { - for($i=0;$idel_db($c[$i]["name"]); - } - } - return true; - } - - /* ----------------------------------------------------------------- */ - /** Hook function called when a user is logged out. - * We just remove the cookie created in admin/sql_admin.php - */ - function alternc_del_session() { - setcookie("REMOTE_USER",""); - setcookie("REMOTE_PASSWORD",""); - } - - /* ----------------------------------------------------------------- */ - /** - * Exporte toutes les informations mysql du compte. - * @access private - * EXPERIMENTAL 'sid' function ;) - */ - function alternc_export($tmpdir) { - global $db,$err,$cuid; - $err->log("mysql","export"); - $db->query("SELECT login, pass, db, bck_mode, bck_dir, bck_history, bck_gzip FROM db WHERE uid='$cuid';"); - if ($db->next_record()) { - $str="\n"; - $str.=" ".xml_entities($db->Record["login"]).""; - $str.=" ".xml_entities($db->Record["pass"]).""; - do { - // Do the dump : - $filename=$tmpdir."/mysql.".$db->Record["db"].".sql.gz"; - exec("/usr/bin/mysqldump --add-drop-table --allow-keywords -Q -f -q -a -e -u".escapeshellarg($db->Record["login"])." -p".escapeshellarg($db->Record["pass"])." ".escapeshellarg($db->Record["db"])." |/bin/gzip >".escapeshellarg($filename)); - $str.=" \n"; - $str.=" ".xml_entities($db->Record["db"])."\n"; - if ($s["bck_mode"]!=0) { - $str.=" \n"; - $str.=" ".xml_entities($db->Record["bck_mode"])."\n"; - $str.=" ".xml_entities($db->Record["bck_dir"])."\n"; - $str.=" ".xml_entities($db->Record["bck_history"])."\n"; - $str.=" ".xml_entities($db->Record["bck_gzip"])."\n"; - $str.=" \n"; - } - $str.=" \n"; - } while ($db->next_record()); - $str.="\n"; - } - return $str; - } - + + /* ------------------------------------------------------------ */ + /** + * Returns the list of database users of an account + **/ function get_userslist() { global $db,$err,$bro,$cuid; $err->log("mysql","get_userslist"); @@ -485,7 +419,7 @@ class m_mysql { global $db,$err,$quota,$mem,$cuid,$admin; $err->log("mysql","add_user",$usern); - $user=addslashes($mem->user["login"]."_$usern"); + $user=addslashes($mem->user["login"]."_".$usern); $pass=addslashes($password); if (!$quota->cancreate("mysql_users")) { @@ -497,7 +431,8 @@ class m_mysql { return false; } - if (strlen($usern) > 16 || strlen($usern) == 0 ) { + // We check the length of the COMPLETE username, not only the part after _ + if (strlen($user) > 16 || strlen($usern) == 0 ) { $err->raise("mysql",15); return false; } @@ -526,11 +461,10 @@ class m_mysql { } - /* ------------------------------------------------------------ */ /** - * Delete a new user in MySQL rights tables - * @param $user the username (we will add _[alternc-account] to it) to delete + * Delete a user in MySQL rights tables + * @param $user the username (we will add "[alternc-account]_" to it) to delete * @return TRUE if the user has been deleted in MySQL or FALSE if an error occurred **/ function del_user($user) { @@ -583,7 +517,6 @@ class m_mysql { } - /* ------------------------------------------------------------ */ /** * Set the access rights of user $user to database $dbn to be rights $rights @@ -650,6 +583,98 @@ class m_mysql { } + /* ----------------------------------------------------------------- */ + /** Hook function called by the quota class to compute user used quota + * Returns the used quota for the $name service for the current user. + * @param $name string name of the quota + * @return integer the number of service used or false if an error occured + * @access private + */ + function alternc_get_quota($name) { + global $err,$db,$cuid; + if ($name=="mysql") { + $err->log("mysql","alternc_get_quota"); + $c=$this->get_dblist(); + if (is_array($c)) { + return count($c); + } else { + return 0; + } + } elseif ($name=="mysql_users") { + $err->log("mysql","alternc_get_quota"); + $c=$this->get_userslist(); + if(is_array($c)) + return count($c); + else + return 0; + } else return false; + } + + + /* ----------------------------------------------------------------- */ + /** Hook function called when a user is deleted. + * AlternC's standard function that delete a member + * @access private + */ + function alternc_del_member() { + global $db,$err,$cuid; + $err->log("mysql","alternc_del_member"); + $c=$this->get_dblist(); + if (is_array($c)) { + for($i=0;$idel_db($c[$i]["name"]); + } + } + return true; + } + + + /* ----------------------------------------------------------------- */ + /** Hook function called when a user is logged out. + * We just remove the cookie created in admin/sql_admin.php + * @access private + */ + function alternc_del_session() { + setcookie("REMOTE_USER",""); + setcookie("REMOTE_PASSWORD",""); + } + + + /* ----------------------------------------------------------------- */ + /** + * Exporte all the mysql information of an account + * @access private + * EXPERIMENTAL 'sid' function ;) + */ + function alternc_export($tmpdir) { + global $db,$err,$cuid; + $err->log("mysql","export"); + $db->query("SELECT login, pass, db, bck_mode, bck_dir, bck_history, bck_gzip FROM db WHERE uid='$cuid';"); + if ($db->next_record()) { + $str="\n"; + $str.=" ".xml_entities($db->Record["login"]).""; + $str.=" ".xml_entities($db->Record["pass"]).""; + do { + // Do the dump : + $filename=$tmpdir."/mysql.".$db->Record["db"].".sql.gz"; + exec("/usr/bin/mysqldump --add-drop-table --allow-keywords -Q -f -q -a -e -u".escapeshellarg($db->Record["login"])." -p".escapeshellarg($db->Record["pass"])." ".escapeshellarg($db->Record["db"])." |/bin/gzip >".escapeshellarg($filename)); + $str.=" \n"; + $str.=" ".xml_entities($db->Record["db"])."\n"; + if ($s["bck_mode"]!=0) { + $str.=" \n"; + $str.=" ".xml_entities($db->Record["bck_mode"])."\n"; + $str.=" ".xml_entities($db->Record["bck_dir"])."\n"; + $str.=" ".xml_entities($db->Record["bck_history"])."\n"; + $str.=" ".xml_entities($db->Record["bck_gzip"])."\n"; + $str.=" \n"; + } + $str.=" \n"; + } while ($db->next_record()); + $str.="\n"; + } + return $str; + } + } /* Class m_mysql */