From: Eric Bollengier Date: Sun, 18 Oct 2015 09:20:44 +0000 (+0200) Subject: Do some sanity checks on user inputs X-Git-Tag: Release-7.4.0~192 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=d82c1c7a66af88ec0b00e5c990ebb272394298d4;p=bacula%2Fbacula Do some sanity checks on user inputs --- diff --git a/bacula/src/dird/ua_dotcmds.c b/bacula/src/dird/ua_dotcmds.c index 4aeadfbc2a..5ea53ca123 100644 --- a/bacula/src/dird/ua_dotcmds.c +++ b/bacula/src/dird/ua_dotcmds.c @@ -905,20 +905,28 @@ static bool dot_bvfs_get_jobs(UAContext *ua, const char *cmd) return true; } - if ((pos = find_arg_with_value(ua, "client")) < 0) { + if (((pos = find_arg_with_value(ua, "client")) < 0) || + (strlen(ua->argv[pos]) > MAX_NAME_LENGTH)) + { return true; } - posj = find_arg_with_value(ua, "ujobid"); - if (!acl_access_ok(ua, Client_ACL, ua->argv[pos])) { return true; } - + + posj = find_arg_with_value(ua, "ujobid"); + /* Do a little check on the size of the argument */ + if (posj >= 0 && strlen(ua->argv[posj]) > MAX_NAME_LENGTH) { + return true; + } + db_lock(ua->db); - db_escape_string(ua->jcr, ua->db, esc_cli, ua->argv[pos], sizeof(esc_cli)); + db_escape_string(ua->jcr, ua->db, esc_cli, + ua->argv[pos], strlen(ua->argv[pos])); if (posj >= 0) { - db_escape_string(ua->jcr, ua->db, esc_job, ua->argv[posj], sizeof(esc_job)); + db_escape_string(ua->jcr, ua->db, esc_job, + ua->argv[posj], strlen(ua->argv[pos])); Mmsg(tmp, "AND Job.Job = '%s'", esc_job); } Mmsg(ua->db->cmd, diff --git a/bacula/src/dird/ua_prune.c b/bacula/src/dird/ua_prune.c index f83b8310fe..e0a775a463 100644 --- a/bacula/src/dird/ua_prune.c +++ b/bacula/src/dird/ua_prune.c @@ -652,7 +652,9 @@ static bool prune_expired_volumes(UAContext *ua) } /* We can restrict by MediaType */ - if ((i = find_arg_with_value(ua, "mediatype")) >= 0) { + if (((i = find_arg_with_value(ua, "mediatype")) >= 0) && + (strlen(ua->argv[i]) <= MAX_NAME_LENGTH)) + { char ed1[MAX_ESCAPE_NAME_LENGTH]; db_escape_string(ua->jcr, ua->db, ed1, ua->argv[i], strlen(ua->argv[i]));