banananetwork
/
postfixadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

PFAHandler:

Browse Source 
- read_from_db(), getList(): 
  - add $searchmode parameter (_before_ $limit and $offset!) to be able to 
    use query different query modes, not only "="
  - add a warning that $condition will be changed to array only in the future
- getList(): filter $condition for fields that are available to the user
  to avoid information leaks by using search parameters
  (filter is only applied if $condition is an array!)

functions.inc.php: 
- db_where_clause():
  - add $additional_raw_where parameter for additional query parameters
  - add $searchmode parameter to be able to use query different
    query modes, not only "=" (see $allowed_operators)
  - check for allowed operators in $searchmode
  - split query into WHERE and HAVING (if a parameter has
    $struct[select] set, HAVING is used)

list-virtual.php:
- adopt getList() call to the new syntax

AliasHandler:
- adopt getList() definition and call to the new syntax

 


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1731 a1433add-5e2c-0410-b055-b7f2511e0802
pull/2/head
Christian Boltz 11 years ago
parent b76511628d
commit 13f1a28b6e
4 changed files with 72 additions and 18 deletions
Show Stats Download Patch File Download Diff File

39
functions.inc.php
Unescape Escape View File

@ -1617,21 +1617,54 @@ function db_in_clause($field, $values) {
* Call: db_where_clause (array $conditions, array $struct) * Call: db_where_clause (array $conditions, array $struct)
* param array $conditios: array('field' => 'value', 'field2' => 'value2, ...) * param array $conditios: array('field' => 'value', 'field2' => 'value2, ...)
* param array $struct - field structure, used for automatic bool conversion * param array $struct - field structure, used for automatic bool conversion
* param string $additional_raw_where - raw sniplet to include in the WHERE part - typically needs to start with AND
* param array $searchmode - operators to use (=, <, > etc.) - defaults to = if not specified for a field (see
* $allowed_operators for available operators)
*/ */
function db_where_clause($condition, $struct) { function db_where_clause($condition, $struct, $additional_raw_where = '', $searchmode = array()) {
if (!is_array($condition)) { if (!is_array($condition)) {
die('db_where_cond: parameter $cond is not an array!'); die('db_where_cond: parameter $cond is not an array!');
} elseif(!is_array($searchmode)) {
die('db_where_cond: parameter $searchmode is not an array!');
} elseif (count($condition) == 0) { } elseif (count($condition) == 0) {
die("db_where_cond: parameter is an empty array!"); # die() might sound harsh, but can prevent information leaks die("db_where_cond: parameter is an empty array!"); # die() might sound harsh, but can prevent information leaks
} elseif(!is_array($struct)) { } elseif(!is_array($struct)) {
die('db_where_cond: parameter $struct is not an array!'); die('db_where_cond: parameter $struct is not an array!');
} }
$allowed_operators = explode(' ', '< > >= <= = != <> CONT LIKE');
$where_parts = array();
$having_parts = array();
foreach($condition as $field => $value) { foreach($condition as $field => $value) {
if (isset($struct[$field]) && $struct[$field]['type'] == 'bool') $value = db_get_boolean($value); if (isset($struct[$field]) && $struct[$field]['type'] == 'bool') $value = db_get_boolean($value);
$parts[] = "$field='" . escape_string($value) . "'"; $operator = '=';
if (isset($searchmode[$field])) {
if (in_array($searchmode[$field], $allowed_operators)) {
$operator = $searchmode[$field];
if ($operator == 'CONT') { # CONT - as in "contains"
$operator = ' LIKE '; # add spaces
$value = '%' . $value . '%';
} elseif ($operator == 'LIKE') { # LIKE -without adding % wildcards (the search value can contain %)
$operator = ' LIKE '; # add spaces
}
} else {
die('db_where_clause: Invalid searchmode for ' . $field);
}
} }
$query = " WHERE ( " . join(" AND ", $parts) . " ) "; $querypart = $field . $operator . "'" . escape_string($value) . "'";
if($struct[$field]['select'] != '') {
$having_parts[$field] = $querypart;
} else {
$where_parts[$field] = $querypart;
}
}
$query = ' WHERE 1=1 ';
$query .= " $additional_raw_where ";
if (count($where_parts) > 0) $query .= " AND ( " . join(" AND ", $where_parts) . " ) ";
if (count($having_parts) > 0) $query .= " HAVING ( " . join(" AND ", $having_parts) . " ) ";
return $query; return $query;
} }

2
list-virtual.php
Unescape Escape View File

@ -126,7 +126,7 @@ $alias_pagebrowser_query = "
"; ";
$handler = new AliasHandler(0, $admin_username); $handler = new AliasHandler(0, $admin_username);
$handler->getList($list_param, $page_size, $fDisplay); $handler->getList($list_param, array(), $page_size, $fDisplay);
$tAlias = $handler->result(); $tAlias = $handler->result();

4
model/AliasHandler.php
Unescape Escape View File

@ -287,10 +287,10 @@ class AliasHandler extends PFAHandler {
return $db_result; return $db_result;
} }
public function getList($condition, $limit=-1, $offset=-1) { public function getList($condition, $searchmode = array(), $limit=-1, $offset=-1) {
# only list aliases that do not belong to mailboxes # only list aliases that do not belong to mailboxes
# TODO: breaks if $condition is an array # TODO: breaks if $condition is an array
return parent::getList( "__mailbox_username IS NULL AND ( $condition )", $limit, $offset); return parent::getList( "__mailbox_username IS NULL AND ( $condition )", $searchmode, $limit, $offset);
} }
protected function _validate_goto($field, $val) { protected function _validate_goto($field, $val) {

45
model/PFAHandler.php
Unescape Escape View File

@ -533,11 +533,13 @@ abstract class PFAHandler {
* *
* @param array or string - condition (an array will be AND'ed using db_where_clause, a string will be directly used) * @param array or string - condition (an array will be AND'ed using db_where_clause, a string will be directly used)
* (if you use a string, make sure it is correctly escaped!) * (if you use a string, make sure it is correctly escaped!)
* - WARNING: will be changed to array only in the future, with an option to include a raw string inside the array
* @param array searchmode - operators to use (=, <, >) if $condition is an array. Defaults to = if not specified for a field.
* @param integer limit - maximum number of rows to return * @param integer limit - maximum number of rows to return
* @param integer offset - number of first row to return * @param integer offset - number of first row to return
* @return array - rows (as associative array, with the ID as key) * @return array - rows (as associative array, with the ID as key)
*/ */
protected function read_from_db($condition, $limit=-1, $offset=-1) { protected function read_from_db($condition, $searchmode = array(), $limit=-1, $offset=-1) {
$select_cols = array(); $select_cols = array();
$yes = escape_string(Config::lang('YES')); $yes = escape_string(Config::lang('YES'));
@ -577,21 +579,23 @@ abstract class PFAHandler {
$cols = join(',', $select_cols); $cols = join(',', $select_cols);
$table = table_by_key($this->db_table); $table = table_by_key($this->db_table);
if (is_array($condition)) { $additional_where = '';
$where = db_where_clause($condition, $this->struct);
} else {
if ($condition == "") $condition = '1=1';
$where = " WHERE ( $condition ) ";
}
if ($this->domain_field != "") { if ($this->domain_field != "") {
$where .= " AND " . db_in_clause($this->domain_field, $this->allowed_domains); $additional_where .= " AND " . db_in_clause($this->domain_field, $this->allowed_domains);
} }
# if logged in as user, restrict to the items the user is allowed to see # if logged in as user, restrict to the items the user is allowed to see
if ( (!$this->is_admin) && $this->user_field != '') { if ( (!$this->is_admin) && $this->user_field != '') {
$where .= " AND " . $this->user_field . " = '" . escape_string($this->username) . "' "; $additional_where .= " AND " . $this->user_field . " = '" . escape_string($this->username) . "' ";
}
if (is_array($condition)) {
$where = db_where_clause($condition, $this->struct, $additional_where, $searchmode);
} else {
if ($condition == "") $condition = '1=1';
$where = " WHERE ( $condition ) $additional_where";
} }
$query = "SELECT $cols FROM $table $extrafrom $where ORDER BY " . $this->order_by; $query = "SELECT $cols FROM $table $extrafrom $where ORDER BY " . $this->order_by;
$limit = (int) $limit; # make sure $limit and $offset are really integers $limit = (int) $limit; # make sure $limit and $offset are really integers
@ -644,13 +648,30 @@ abstract class PFAHandler {
/** /**
* get a list of one or more items with all values * get a list of one or more items with all values
* @param array or string $condition - see read_from_db for details * @param array or string $condition - see read_from_db for details
* WARNING: will be changed to array only in the future, with an option to include a raw string inside the array
* @param array - modes to use if $condition is an array - see read_from_db for details
* @param integer limit - maximum number of rows to return * @param integer limit - maximum number of rows to return
* @param integer offset - number of first row to return * @param integer offset - number of first row to return
* @return bool - always true, no need to check ;-) (if $result is not an array, getList die()s) * @return bool - always true, no need to check ;-) (if $result is not an array, getList die()s)
* The data is stored in $this->result (as array of rows, each row is an associative array of column => value) * The data is stored in $this->result (as array of rows, each row is an associative array of column => value)
*/ */
public function getList($condition, $limit=-1, $offset=-1) { public function getList($condition, $searchmode = array(), $limit=-1, $offset=-1) {
$result = $this->read_from_db($condition, $limit, $offset); if (is_array($condition)) {
$real_condition = array();
foreach ($condition as $key => $value) {
# allow only access to fields the user can access to avoid information leaks via search parameters
if (isset($this->struct[$key]) && ($this->struct[$key]['display_in_list'] || $this->struct[$key]['display_in_form']) ) {
$real_condition[$key] = $value;
} else {
$this->errormsg[] = "Ignoring unknown search field $key";
}
}
} else {
# warning: no sanity checks are applied if $condition is not an array!
$real_condition = $condition;
}
$result = $this->read_from_db($real_condition, $searchmode, $limit, $offset);
if (!is_array($result)) { if (!is_array($result)) {
error_log('getList: read_from_db didn\'t return an array. table: ' . $this->db_table . ' - condition: $condition - limit: $limit - offset: $offset'); error_log('getList: read_from_db didn\'t return an array. table: ' . $this->db_table . ' - condition: $condition - limit: $limit - offset: $offset');

Write Preview
Loading…
Cancel
Save