mirror of https://github.com/BOINC/boinc.git
server security fix
svn path=/trunk/boinc/; revision=8748
This commit is contained in:
parent
2d5bb1fbed
commit
1f963d4203
|
@ -13370,3 +13370,9 @@ David 25 Oct 2005
|
||||||
acct_setup.C
|
acct_setup.C
|
||||||
lib/
|
lib/
|
||||||
boinc_cmd.C
|
boinc_cmd.C
|
||||||
|
|
||||||
|
David 25 Oct 2005
|
||||||
|
- avoid SQL injection attack
|
||||||
|
|
||||||
|
sched/
|
||||||
|
server_types.C
|
||||||
|
|
|
@ -93,11 +93,16 @@ The command-line interface program has the following interface:
|
||||||
<pre>
|
<pre>
|
||||||
boinc_cmd [--host hostname] [--passwd passwd] command
|
boinc_cmd [--host hostname] [--passwd passwd] command
|
||||||
</pre>
|
</pre>
|
||||||
The commands are as follows:
|
The options and commands are as follows:
|
||||||
";
|
";
|
||||||
list_start();
|
list_start();
|
||||||
list_item("--help, -h", "help (show commands)");
|
list_item("--help, -h", "help (show commands)");
|
||||||
list_item("--version, -V", "show version");
|
list_item("--version, -V", "show version");
|
||||||
|
list_item("--host", "The host to connect to (default: localhost)");
|
||||||
|
list_item("--password", "The password for RPC authentication
|
||||||
|
(default: boinc_cmd will look for a file 'gui_rpc_auth.cfg'
|
||||||
|
and use the password it contains)"
|
||||||
|
);
|
||||||
list_item("--get_state", "show client state");
|
list_item("--get_state", "show client state");
|
||||||
list_item("--get_results", "show results");
|
list_item("--get_results", "show results");
|
||||||
list_item("--get_file_transfers", "show file transfers");
|
list_item("--get_file_transfers", "show file transfers");
|
||||||
|
|
|
@ -34,6 +34,20 @@ using namespace std;
|
||||||
#include "fcgi_stdio.h"
|
#include "fcgi_stdio.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
// remove (by truncating) any quotes from the given string.
|
||||||
|
// This is for things (e.g. authenticator) that will be used in
|
||||||
|
// a SQL query, to prevent SQL injection attacks
|
||||||
|
//
|
||||||
|
void remove_quotes(char* p) {
|
||||||
|
int i, n=strlen(p);
|
||||||
|
for (i=0; i<n; i++) {
|
||||||
|
if (p[i]=='\'' || p[i]=='"') {
|
||||||
|
p[i] = 0;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
int CLIENT_APP_VERSION::parse(FILE* f) {
|
int CLIENT_APP_VERSION::parse(FILE* f) {
|
||||||
char buf[256];
|
char buf[256];
|
||||||
|
|
||||||
|
@ -124,7 +138,10 @@ int SCHEDULER_REQUEST::parse(FILE* fin) {
|
||||||
if (!match_tag(buf, "<scheduler_request>")) return ERR_XML_PARSE;
|
if (!match_tag(buf, "<scheduler_request>")) return ERR_XML_PARSE;
|
||||||
while (fgets(buf, 256, fin)) {
|
while (fgets(buf, 256, fin)) {
|
||||||
if (match_tag(buf, "</scheduler_request>")) return 0;
|
if (match_tag(buf, "</scheduler_request>")) return 0;
|
||||||
else if (parse_str(buf, "<authenticator>", authenticator, sizeof(authenticator))) continue;
|
else if (parse_str(buf, "<authenticator>", authenticator, sizeof(authenticator))) {
|
||||||
|
remove_quotes(authenticator);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
else if (parse_str(buf, "<cross_project_id>", cross_project_id, sizeof(cross_project_id))) continue;
|
else if (parse_str(buf, "<cross_project_id>", cross_project_id, sizeof(cross_project_id))) continue;
|
||||||
else if (parse_int(buf, "<hostid>", hostid)) continue;
|
else if (parse_int(buf, "<hostid>", hostid)) continue;
|
||||||
else if (parse_int(buf, "<rpc_seqno>", rpc_seqno)) continue;
|
else if (parse_int(buf, "<rpc_seqno>", rpc_seqno)) continue;
|
||||||
|
|
Loading…
Reference in New Issue