cocoon-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tcu...@apache.org
Subject cvs commit: cocoon-2.1/src/blocks/databases/java/org/apache/cocoon/acting DatabaseAuthenticatorAction.java
Date Thu, 01 May 2003 16:03:39 GMT
tcurdt      2003/05/01 09:03:38

  Modified:    src/blocks/databases/java/org/apache/cocoon/acting
                        DatabaseAuthenticatorAction.java
  Log:
  fixed bug #14286, a serious security fix!
  should be ported back to 2.0 ASAP
  
  Revision  Changes    Path
  1.3       +63 -60    cocoon-2.1/src/blocks/databases/java/org/apache/cocoon/acting/DatabaseAuthenticatorAction.java
  
  Index: DatabaseAuthenticatorAction.java
  ===================================================================
  RCS file: /home/cvs/cocoon-2.1/src/blocks/databases/java/org/apache/cocoon/acting/DatabaseAuthenticatorAction.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- DatabaseAuthenticatorAction.java	24 Mar 2003 14:33:57 -0000	1.2
  +++ DatabaseAuthenticatorAction.java	1 May 2003 16:03:38 -0000	1.3
  @@ -63,7 +63,7 @@
   
   import java.sql.Connection;
   import java.sql.ResultSet;
  -import java.sql.Statement;
  +import java.sql.PreparedStatement;
   import java.util.Collections;
   import java.util.HashMap;
   import java.util.Map;
  @@ -115,7 +115,7 @@
               Parameters parameters) throws Exception {
           DataSourceComponent datasource = null;
           Connection conn = null;
  -        Statement st = null;
  +        PreparedStatement st = null;
           ResultSet rs = null;
   
           // read global parameter settings
  @@ -149,16 +149,14 @@
                   return null;
               }
   
  -            String query = this.getAuthQuery (conf, req);
  -            if (query == null) {
  +            st = this.getAuthQuery (conn, conf, req);
  +            if (st == null) {
                   getLogger ().debug ("DBAUTH: have not got query");
                   req.setAttribute("message", "The authenticator is misconfigured");
                   return null;
               }
   
  -            getLogger ().debug ("DBAUTH: query is: " + query);
  -            st = conn.createStatement ();
  -            rs = st.executeQuery (query);
  +            rs = st.executeQuery ();
   
               if (rs.next ()) {
                   getLogger ().debug ("DBAUTH: authorized successfully");
  @@ -211,65 +209,70 @@
           return null;
       }
   
  -    private String getAuthQuery (Configuration conf, Request req) {
  -        boolean first_constraint = true;
  -        StringBuffer queryBuffer = new StringBuffer ("SELECT ");
  -        StringBuffer queryBufferEnd = new StringBuffer ("");
  -        String dbcol, request_param, request_value, nullstr;
  -        boolean nullable = false;
  -        Configuration table = conf.getChild ("table");
  -        Configuration[] select = table.getChildren ("select");
  +    private PreparedStatement getAuthQuery(Connection conn, Configuration conf, Request
req) {
  +        StringBuffer queryBuffer = new StringBuffer("SELECT ");
  +        StringBuffer queryBufferEnd = new StringBuffer("");
  +        Configuration table = conf.getChild("table");
  +        Configuration[] columns = table.getChildren("select");
           try {
  -            for (int i = 0; i < select.length; i ++) {
  -                if (i != 0)
  -                    queryBuffer.append (", ");
  -                dbcol = select[i].getAttribute ("dbcol");
  -                queryBuffer.append (dbcol);
  -                try {
  -                    request_param = select[i].getAttribute ("request-param");
  -                    if (request_param == null ||
  -                            request_param.trim().equals ("")) {
  -                        continue;
  -                    }
  -                } catch (Exception e) {
  -                    continue;
  -                }
  -                try {
  -                    nullstr = select[i].getAttribute ("nullable");
  -                    if (nullstr != null) nullstr = nullstr.trim ();
  -                    if ("yes".equals (nullstr) || "true".equals (nullstr)) {
  -                        nullable = true;
  +            Object[] constraintValues = new Object[columns.length];
  +            int constraints = 0;
  +            for (int i = 0; i < columns.length; i++) {
  +                String dbcol = columns[i].getAttribute("dbcol");
  +                boolean nullable = false;
  +                queryBuffer.append(dbcol);
  +
  +                String requestParameter = columns[i].getAttribute("request-param", null);
  +                if (requestParameter != null && requestParameter.trim() != "")
{
  +
  +                    String nullstr = columns[i].getAttribute("nullable", null);
  +                    if (nullstr != null) {
  +                        nullstr = nullstr.trim();
  +                        nullable = "yes".equals(nullstr) || "true".equals(nullstr);
                       }
  -                } catch (Exception e1) {
  -                }
  -                /* if there is a request parameter name,
  -                 * but not the value, we exit immediately do
  -                 * that authorization fails authomatically */
  -                request_value = req.getParameter (
  -                        request_param);
  -                if (request_value == null || request_value.trim().equals ("")) {
  -                    // value is null
  -                    if (!nullable) {
  -                        getLogger ().debug ("DBAUTH: request-param "
  -                                + request_param + " does not exist");
  +
  +                    String constraintValue = req.getParameter(requestParameter);
  +
  +                    // if there is a request parameter name,
  +                    // but not the value, we exit immediately do
  +                    // that authorization fails authomatically
  +                    if ((constraintValue == null || constraintValue.trim().equals(""))
&& !nullable) {
  +                        getLogger().debug("DBAUTH: request-param " + requestParameter +
" does not exist");
                           return null;
                       }
  -                } else {
  -                    if (!first_constraint)
  -                        queryBufferEnd.append (" AND ");
  -                    queryBufferEnd.append (dbcol).append("='").append(request_value).append("'");
  -                    first_constraint = false;
  +
  +                    if (constraints > 0) {
  +                        queryBufferEnd.append(" AND ");
  +                    }
  +
  +                    queryBufferEnd.append(dbcol).append("= ?");
  +                    constraintValues[constraints] = constraintValue;
  +                    constraints++;
                   }
               }
  -            queryBuffer.append (" FROM ");
  -            queryBuffer.append (table.getAttribute ("name"));
  -            if (!queryBufferEnd.toString ().trim ().equals (""))
  -                queryBuffer.append (" WHERE ").append (queryBufferEnd.toString ());
  -            return queryBuffer.toString ();
  -        } catch (Exception e) {
  -            getLogger ().debug ("DBAUTH: got exception: " + e);
  -            return null;
  +
  +            queryBuffer.append(" FROM ");
  +            queryBuffer.append(table.getAttribute("name"));
  +            if (!queryBufferEnd.toString().trim().equals("")) {
  +                queryBuffer.append(" WHERE ").append(queryBufferEnd.toString());
  +            }
  +
  +            getLogger().debug("DBAUTH: query " + queryBuffer);
  +
  +            PreparedStatement st = conn.prepareStatement(queryBuffer.toString());
  +
  +            for(int i=0;i<constraints;i++) {
  +                getLogger().debug("DBAUTH: parameter " + (i+1) + " = [" + String.valueOf(constraintValues[i])
+ "]");
  +                st.setObject(i+1,constraintValues[i]);
  +            }
  +
  +            return st;
  +        }
  +        catch (Exception e) {
  +            getLogger().debug("DBAUTH: got exception: " + e);
           }
  +
  +        return null;
       }
   
       private HashMap propagateParameters (Configuration conf, ResultSet rs,
  
  
  

Mime
View raw message