080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/lib/wikiTrack.c src/hg/lib/wikiTrack.c index 6852a33..b17f3fb 100644 --- src/hg/lib/wikiTrack.c +++ src/hg/lib/wikiTrack.c @@ -110,80 +110,39 @@ while ((row = sqlNextRow(sr)) != NULL) { el = wikiTrackLoad(row); slAddHead(&list, el); } slReverse(&list); sqlFreeResult(&sr); return list; } void wikiTrackSaveToDb(struct sqlConnection *conn, struct wikiTrack *el, char *tableName, int updateSize) /* Save wikiTrack as a row to the table specified by tableName. * As blob fields may be arbitrary size updateSize specifies the approx size * of a string that would contain the entire query. Arrays of native types are * converted to comma separated strings and loaded as such, User defined types are - * inserted as NULL. Note that strings must be escaped to allow insertion into the database. - * For example "autosql's features include" --> "autosql\'s features include" - * If worried about this use wikiTrackSaveToDbEscaped() */ + * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */ { struct dyString *update = newDyString(updateSize); -dyStringPrintf(update, "insert into %s values ( %u,'%s',%u,%u,'%s',%u,'%s','%s','%s','%s','%s','%s','%s','%s',%u,'%s')", +sqlDyStringPrintf(update, "insert into %s values ( %u,'%s',%u,%u,'%s',%u,'%s','%s','%s','%s','%s','%s','%s','%s',%u,'%s')", tableName, el->bin, el->chrom, el->chromStart, el->chromEnd, el->name, el->score, el->strand, el->db, el->owner, el->color, el->class, el->creationDate, el->lastModifiedDate, el->descriptionKey, el->id, el->geneSymbol); sqlUpdate(conn, update->string); freeDyString(&update); } -void wikiTrackSaveToDbEscaped(struct sqlConnection *conn, struct wikiTrack *el, char *tableName, int updateSize) -/* Save wikiTrack as a row to the table specified by tableName. - * As blob fields may be arbitrary size updateSize specifies the approx size. - * of a string that would contain the entire query. Automatically - * escapes all simple strings (not arrays of string) but may be slower than wikiTrackSaveToDb(). - * For example automatically copies and converts: - * "autosql's features include" --> "autosql\'s features include" - * before inserting into database. */ -{ -struct dyString *update = newDyString(updateSize); -char *chrom, *name, *strand, *db, *owner, *color, *class, *creationDate, *lastModifiedDate, *descriptionKey, *geneSymbol; -chrom = sqlEscapeString(el->chrom); -name = sqlEscapeString(el->name); -strand = sqlEscapeString(el->strand); -db = sqlEscapeString(el->db); -owner = sqlEscapeString(el->owner); -color = sqlEscapeString(el->color); -class = sqlEscapeString(el->class); -creationDate = sqlEscapeString(el->creationDate); -lastModifiedDate = sqlEscapeString(el->lastModifiedDate); -descriptionKey = sqlEscapeString(el->descriptionKey); -geneSymbol = sqlEscapeString(el->geneSymbol); - -dyStringPrintf(update, "insert into %s values ( %u,'%s',%u,%u,'%s',%u,'%s','%s','%s','%s','%s','%s','%s','%s',%u,'%s')", - tableName, el->bin , chrom, el->chromStart , el->chromEnd , name, el->score , strand, db, owner, color, class, creationDate, lastModifiedDate, descriptionKey, el->id , geneSymbol); -sqlUpdate(conn, update->string); -freeDyString(&update); -freez(&chrom); -freez(&name); -freez(&strand); -freez(&db); -freez(&owner); -freez(&color); -freez(&class); -freez(&creationDate); -freez(&lastModifiedDate); -freez(&descriptionKey); -freez(&geneSymbol); -} struct wikiTrack *wikiTrackCommaIn(char **pS, struct wikiTrack *ret) /* Create a wikiTrack out of a comma separated string. * This will fill in ret if non-null, otherwise will * return a new wikiTrack */ { char *s = *pS; if (ret == NULL) AllocVar(ret); ret->bin = sqlUnsignedComma(&s); ret->chrom = sqlStringComma(&s); ret->chromStart = sqlUnsignedComma(&s); ret->chromEnd = sqlUnsignedComma(&s); ret->name = sqlStringComma(&s); @@ -305,31 +264,31 @@ #include "cart.h" #include "hPrint.h" #include "grp.h" #include "obscure.h" #include "hCommon.h" #include "web.h" #include "hgColors.h" #ifdef NOT static void savePosInTextBox(char *chrom, int start, int end) /* Save basic position/database info in text box and hidden var. Positions becomes chrom:start-end*/ { char position[128]; char *newPos; -snprintf(position, 128, "%s:%d-%d", chrom, start, end); +safef(position, 128, "%s:%d-%d", chrom, start, end); newPos = addCommasToPos(position); cgiMakeTextVar("getDnaPos", newPos, strlen(newPos) + 2); cgiContinueHiddenVar("db"); } #endif boolean wikiTrackReadOnly() /* return TRUE if wiki track is in Read-Only mode, default answer is FALSE */ { return cfgOptionBooleanDefault(CFG_WIKI_TRACK_READ_ONLY, FALSE); } boolean wikiTrackEnabled(char *database, char **wikiUserName) /*determine if wikiTrack can be used, and is this user logged into the wiki ?*/ { @@ -443,35 +402,35 @@ "class varchar(255) not null,\n" "creationDate varchar(255) not null,\n" "lastModifiedDate varchar(255) not null,\n" "descriptionKey varchar(255) not null,\n" "id int unsigned not null auto_increment,\n" "geneSymbol varchar(255) null,\n" "PRIMARY KEY(id),\n" "INDEX chrom (db,bin,chrom),\n" "INDEX name (db,name),\n" "INDEX gene (geneSymbol)\n" ")\n"; char *wikiTrackGetCreateSql(char *tableName) /* return sql create statement for wiki track with tableName */ { -struct dyString *createTable = dyStringNew(512); +struct dyString *dy = dyStringNew(512); -dyStringPrintf(createTable, createString, tableName); +sqlDyStringPrintf(dy, createString, tableName); -return (dyStringCannibalize(&createTable)); +return (dyStringCannibalize(&dy)); } char *wikiDbName() /* return name of database where wiki track is located currently this is central.db but the future may be configurable */ { static char *dbName = NULL; if (dbName) return dbName; char setting[64]; safef(setting, sizeof(setting), "central.db"); dbName = cfgOption(setting); return dbName; @@ -487,74 +446,74 @@ } void wikiDisconnect(struct sqlConnection **pConn) /* disconnect from wikiTrack table database */ { hDisconnectCentral(pConn); } struct wikiTrack *findWikiItemId(char *wikiItemId) /* given a wikiItemId return the row from the table */ { struct wikiTrack *item; char query[256]; struct sqlConnection *wikiConn = wikiConnect(); -safef(query, ArraySize(query), "SELECT * FROM %s WHERE id='%s' limit 1", +sqlSafef(query, ArraySize(query), "SELECT * FROM %s WHERE id='%s' limit 1", WIKI_TRACK_TABLE, wikiItemId); item = wikiTrackLoadByQuery(wikiConn, query); if (NULL == item) errAbort("display wiki item: failed to load item '%s'", wikiItemId); wikiDisconnect(&wikiConn); return item; } struct wikiTrack *findWikiItemByGeneSymbol(char *db, char *geneSymbol) /* given a db and UCSC known gene geneSymbol, find the wiki item */ { struct wikiTrack *item = NULL; /* make sure neither of these arguments is NULL */ if (db && geneSymbol) { char query[256]; struct sqlConnection *wikiConn = wikiConnect(); - safef(query, ArraySize(query), + sqlSafef(query, ArraySize(query), "SELECT * FROM %s WHERE db='%s' AND geneSymbol='%s' limit 1", WIKI_TRACK_TABLE, db, geneSymbol); item = wikiTrackLoadByQuery(wikiConn, query); wikiDisconnect(&wikiConn); } return item; } struct wikiTrack *findWikiItemByName(char *db, char *name) /* given a db,name pair return the row from the table, can return NULL */ { struct wikiTrack *item = NULL; /* make sure neither of these arguments is NULL */ if (name && db) { char query[256]; struct sqlConnection *wikiConn = wikiConnect(); - safef(query, ArraySize(query), + sqlSafef(query, ArraySize(query), "SELECT * FROM %s WHERE db='%s' AND name='%s' limit 1", WIKI_TRACK_TABLE, db, name); item = wikiTrackLoadByQuery(wikiConn, query); wikiDisconnect(&wikiConn); } return item; } static char *stripEditURLs(char *rendered) /* test for actual text, remove edit sections and any html comment strings */ { char *stripped = cloneString(rendered); @@ -802,31 +761,31 @@ char *userSignature; /* In the case where this is a restoration of the header lines, * may be a different creator than this user adding comments. * So, get the header line correct to represent the actual creator. */ if (sameWord(userName, item->owner)) userSignature = cloneString("~~~~"); else { struct dyString *tt = newDyString(1024); dyStringPrintf(tt, "[[User:%s|%s]] ", item->owner, item->owner); dyStringPrintf(tt, "%s", item->creationDate); userSignature = dyStringCannibalize(&tt); recreateHeader = TRUE; } - snprintf(position, 128, "%s:%d-%d", seqName, winStart+1, winEnd); + safef(position, 128, "%s:%d-%d", seqName, winStart+1, winEnd); newPos = addCommasToPos(database, position); if (extraHeader) { dyStringPrintf(content, "%s\n%s\n", category, extraHeader); } else { dyStringPrintf(content, "%s\n" "[http://%s/cgi-bin/hgTracks?db=%s&wikiTrack=pack&position=%s:%d-%d %s %s]" " <B>'%s'</B> ", category, cfgOptionDefault(CFG_WIKI_BROWSER, DEFAULT_BROWSER), database, seqName, winStart+1, winEnd, database, newPos, item->name); @@ -940,31 +899,31 @@ char *userSignature; /* In the case where this is a restoration of the header lines, * may be a different creator than this user adding comments. * So, get the header line correct to represent the actual creator. */ if (sameWord(userName, item->owner)) userSignature = cloneString("~~~~"); else { struct dyString *tt = newDyString(1024); dyStringPrintf(tt, "[[User:%s|%s]] ", item->owner, item->owner); dyStringPrintf(tt, "%s", item->creationDate); userSignature = dyStringCannibalize(&tt); recreateHeader = TRUE; } - snprintf(position, 128, "%s:%d-%d", seqName, winStart+1, winEnd); + safef(position, 128, "%s:%d-%d", seqName, winStart+1, winEnd); newPos = addCommasToPos(database, position); if (extraHeader) { dyStringPrintf(content, "%s\n%s\n", category, extraHeader); } else { dyStringPrintf(content, "%s\n" "[http://%s/cgi-bin/hgTracks?db=%s&wikiTrack=pack&position=%s:%d-%d %s %s]" " <B>'%s'</B> ", category, cfgOptionDefault(CFG_WIKI_BROWSER, DEFAULT_BROWSER), database, seqName, winStart+1, winEnd, database, newPos, item->name); }