mirror of https://github.com/BOINC/boinc.git
server security fix
svn path=/trunk/boinc/; revision=8748
This commit is contained in:
David Anderson
parent
2d5bb1fbed
commit
1f963d4203
|
|
@ -13370,3 +13370,9 @@ David 25 Oct 2005
|
|||
acct_setup.C
|
||||
lib/
|
||||
boinc_cmd.C
|
||||
|
||||
David 25 Oct 2005
|
||||
- avoid SQL injection attack
|
||||
|
||||
sched/
|
||||
server_types.C
|
||||
|
|
|
|||
|
|
@ -93,11 +93,16 @@ The command-line interface program has the following interface:
|
|||
<pre>
|
||||
boinc_cmd [--host hostname] [--passwd passwd] command
|
||||
</pre>
|
||||
The commands are as follows:
|
||||
The options and commands are as follows:
|
||||
";
|
||||
list_start();
|
||||
list_item("--help, -h", "help (show commands)");
|
||||
list_item("--version, -V", "show version");
|
||||
list_item("--host", "The host to connect to (default: localhost)");
|
||||
list_item("--password", "The password for RPC authentication
|
||||
(default: boinc_cmd will look for a file 'gui_rpc_auth.cfg'
|
||||
and use the password it contains)"
|
||||
);
|
||||
list_item("--get_state", "show client state");
|
||||
list_item("--get_results", "show results");
|
||||
list_item("--get_file_transfers", "show file transfers");
|
||||
|
|
|
|||
|
|
@ -34,6 +34,20 @@ using namespace std;
|
|||
#include "fcgi_stdio.h"
|
||||
#endif
|
||||
|
||||
// remove (by truncating) any quotes from the given string.
|
||||
// This is for things (e.g. authenticator) that will be used in
|
||||
// a SQL query, to prevent SQL injection attacks
|
||||
//
|
||||
void remove_quotes(char* p) {
|
||||
int i, n=strlen(p);
|
||||
for (i=0; i<n; i++) {
|
||||
if (p[i]=='\'' || p[i]=='"') {
|
||||
p[i] = 0;
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
int CLIENT_APP_VERSION::parse(FILE* f) {
|
||||
char buf[256];
|
||||
|
||||
|
|
@ -124,7 +138,10 @@ int SCHEDULER_REQUEST::parse(FILE* fin) {
|
|||
if (!match_tag(buf, "<scheduler_request>")) return ERR_XML_PARSE;
|
||||
while (fgets(buf, 256, fin)) {
|
||||
if (match_tag(buf, "</scheduler_request>")) return 0;
|
||||
else if (parse_str(buf, "<authenticator>", authenticator, sizeof(authenticator))) continue;
|
||||
else if (parse_str(buf, "<authenticator>", authenticator, sizeof(authenticator))) {
|
||||
remove_quotes(authenticator);
|
||||
continue;
|
||||
}
|
||||
else if (parse_str(buf, "<cross_project_id>", cross_project_id, sizeof(cross_project_id))) continue;
|
||||
else if (parse_int(buf, "<hostid>", hostid)) continue;
|
||||
else if (parse_int(buf, "<rpc_seqno>", rpc_seqno)) continue;
|
||||
|
|
|
|||
Loading…
Reference in New Issue