mirror of
https://github.com/postfixadmin/postfixadmin.git
synced 2024-09-19 19:22:14 +02:00
fix sql injection hole where value fields were not being escaped in the stored file - (thanks to Filippo Cavallarin)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/branches/postfixadmin-2.3@1320 a1433add-5e2c-0410-b055-b7f2511e0802
This commit is contained in:
parent
d8895ccdc2
commit
9dd00fb0a7
153
backup.php
153
backup.php
@ -33,101 +33,98 @@ if ('pgsql'==$CONF['database_type'])
|
||||
print '<p>Sorry: Backup is currently not supported for your DBMS.</p>';
|
||||
}
|
||||
/*
|
||||
SELECT attnum,attname,typname,atttypmod-4,attnotnull,atthasdef,adsrc
|
||||
AS def FROM pg_attribute,pg_class,pg_type,pg_attrdef
|
||||
WHERE pg_class.oid=attrelid AND pg_type.oid=atttypid
|
||||
AND attnum>0 AND pg_class.oid=adrelid AND adnum=attnum AND atthasdef='t' AND lower(relname)='admin'
|
||||
UNION SELECT attnum,attname,typname,atttypmod-4,attnotnull,atthasdef,''
|
||||
AS def FROM pg_attribute,pg_class,pg_type
|
||||
WHERE pg_class.oid=attrelid
|
||||
AND pg_type.oid=atttypid
|
||||
AND attnum>0
|
||||
AND atthasdef='f'
|
||||
AND lower(relname)='admin'
|
||||
SELECT attnum,attname,typname,atttypmod-4,attnotnull,atthasdef,adsrc
|
||||
AS def FROM pg_attribute,pg_class,pg_type,pg_attrdef
|
||||
WHERE pg_class.oid=attrelid AND pg_type.oid=atttypid
|
||||
AND attnum>0 AND pg_class.oid=adrelid AND adnum=attnum AND atthasdef='t' AND lower(relname)='admin'
|
||||
UNION SELECT attnum,attname,typname,atttypmod-4,attnotnull,atthasdef,''
|
||||
AS def FROM pg_attribute,pg_class,pg_type
|
||||
WHERE pg_class.oid=attrelid
|
||||
AND pg_type.oid=atttypid
|
||||
AND attnum>0
|
||||
AND atthasdef='f'
|
||||
AND lower(relname)='admin'
|
||||
$db = $_GET['db'];
|
||||
$cmd = "pg_dump -c -D -f /tix/miner/miner.sql -F p -N -U postgres $db";
|
||||
$res = `$cmd`;
|
||||
// Alternate: $res = shell_exec($cmd);
|
||||
echo $res;
|
||||
*/
|
||||
*/
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "GET")
|
||||
{
|
||||
umask (077);
|
||||
$path = (ini_get('upload_tmp_dir') != '') ? ini_get('upload_tmp_dir') : '/tmp';
|
||||
$filename = "postfixadmin-" . date ("Ymd") . "-" . getmypid() . ".sql";
|
||||
$backup = $path . DIRECTORY_SEPARATOR . $filename;
|
||||
umask (077);
|
||||
$path = (ini_get('upload_tmp_dir') != '') ? ini_get('upload_tmp_dir') : '/tmp';
|
||||
$filename = "postfixadmin-" . date ("Ymd") . "-" . getmypid() . ".sql";
|
||||
$backup = $path . DIRECTORY_SEPARATOR . $filename;
|
||||
|
||||
$header = "#\n# Postfix Admin $version\n# Date: " . date ("D M j G:i:s T Y") . "\n#\n";
|
||||
$header = "#\n# Postfix Admin $version\n# Date: " . date ("D M j G:i:s T Y") . "\n#\n";
|
||||
|
||||
if (!$fh = fopen ($backup, 'w'))
|
||||
{
|
||||
$tMessage = "<div class=\"error_msg\">Cannot open file ($backup)</div>";
|
||||
include ("templates/header.php");
|
||||
include ("templates/menu.php");
|
||||
include ("templates/message.php");
|
||||
include ("templates/footer.php");
|
||||
}
|
||||
else
|
||||
{
|
||||
fwrite ($fh, $header);
|
||||
if (!$fh = fopen ($backup, 'w'))
|
||||
{
|
||||
$tMessage = "<div class=\"error_msg\">Cannot open file ($backup)</div>";
|
||||
include ("templates/header.php");
|
||||
include ("templates/menu.php");
|
||||
include ("templates/message.php");
|
||||
include ("templates/footer.php");
|
||||
}
|
||||
else
|
||||
{
|
||||
fwrite ($fh, $header);
|
||||
|
||||
$tables = array(
|
||||
'admin',
|
||||
'alias',
|
||||
'alias_domain',
|
||||
'config',
|
||||
'domain',
|
||||
'domain_admins',
|
||||
'fetchmail',
|
||||
'log',
|
||||
'mailbox',
|
||||
'quota',
|
||||
'quota2',
|
||||
'vacation',
|
||||
'vacation_notification'
|
||||
);
|
||||
$tables = array(
|
||||
'admin',
|
||||
'alias',
|
||||
'alias_domain',
|
||||
'config',
|
||||
'domain',
|
||||
'domain_admins',
|
||||
'fetchmail',
|
||||
'log',
|
||||
'mailbox',
|
||||
'quota',
|
||||
'quota2',
|
||||
'vacation',
|
||||
'vacation_notification'
|
||||
);
|
||||
|
||||
for ($i = 0 ; $i < sizeof ($tables) ; ++$i)
|
||||
{
|
||||
$result = db_query ("SHOW CREATE TABLE " . table_by_key($tables[$i]));
|
||||
if ($result['rows'] > 0)
|
||||
{
|
||||
while ($row = db_array ($result['result']))
|
||||
for ($i = 0 ; $i < sizeof ($tables) ; ++$i)
|
||||
{
|
||||
$result = db_query ("SHOW CREATE TABLE " . table_by_key($tables[$i]));
|
||||
if ($result['rows'] > 0)
|
||||
{
|
||||
fwrite ($fh, "$row[1];\n\n");
|
||||
while ($row = db_array ($result['result']))
|
||||
{
|
||||
fwrite ($fh, "$row[1];\n\n");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for ($i = 0 ; $i < sizeof ($tables) ; ++$i)
|
||||
{
|
||||
$result = db_query ("SELECT * FROM " . table_by_key($tables[$i]));
|
||||
if ($result['rows'] > 0)
|
||||
{
|
||||
while ($row = db_assoc ($result['result']))
|
||||
for ($i = 0 ; $i < sizeof ($tables) ; ++$i)
|
||||
{
|
||||
$result = db_query ("SELECT * FROM " . table_by_key($tables[$i]));
|
||||
if ($result['rows'] > 0)
|
||||
{
|
||||
foreach ($row as $key=>$val)
|
||||
{
|
||||
$fields[] = $key;
|
||||
$values[] = $val;
|
||||
}
|
||||
|
||||
fwrite ($fh, "INSERT INTO ". $tables[$i] . " (". implode (',',$fields) . ") VALUES ('" . implode ('\',\'',$values) . "');\n");
|
||||
$fields = "";
|
||||
$values = "";
|
||||
while ($row = db_assoc ($result['result']))
|
||||
{
|
||||
$fields = array_keys($row);
|
||||
$values = array_values($row);
|
||||
$values = array_map('escape_string', $values);
|
||||
fwrite ($fh, "INSERT INTO ". $tables[$i] . " (". implode (',',$fields) . ") VALUES ('" . implode ('\',\'',$values) . "');\n");
|
||||
$fields = "";
|
||||
$values = "";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
header ("Content-Type: text/plain");
|
||||
header ("Content-Disposition: attachment; filename=\"$filename\"");
|
||||
header ("Content-Transfer-Encoding: binary");
|
||||
header ("Content-Length: " . filesize("$backup"));
|
||||
header ("Content-Description: Postfix Admin");
|
||||
$download_backup = fopen ("$backup", "r");
|
||||
unlink ("$backup");
|
||||
fpassthru ($download_backup);
|
||||
}
|
||||
}
|
||||
header ("Content-Type: text/plain");
|
||||
header ("Content-Disposition: attachment; filename=\"$filename\"");
|
||||
header ("Content-Transfer-Encoding: binary");
|
||||
header ("Content-Length: " . filesize("$backup"));
|
||||
header ("Content-Description: Postfix Admin");
|
||||
$download_backup = fopen ("$backup", "r");
|
||||
unlink ("$backup");
|
||||
fpassthru ($download_backup);
|
||||
}
|
||||
/* vim: set expandtab softtabstop=3 tabstop=3 shiftwidth=3: */
|
||||
?>
|
||||
|
Loading…
Reference in New Issue
Block a user