From 256a6264d48d9a63a421c127e7b55a082fb6f813 Mon Sep 17 00:00:00 2001 From: Anthony Minessale Date: Thu, 29 Sep 2011 08:28:12 -0500 Subject: [PATCH] prevent sql injection by using sqlite formatter on various code that generates sql stmts with switch_snprintf --- .../applications/mod_commands/mod_commands.c | 6 +-- .../mod_voicemail/mod_voicemail.c | 12 ++--- src/mod/endpoints/mod_sofia/sofia_reg.c | 50 +++++++++---------- src/switch_core_sqldb.c | 6 +-- 4 files changed, 37 insertions(+), 37 deletions(-) diff --git a/src/mod/applications/mod_commands/mod_commands.c b/src/mod/applications/mod_commands/mod_commands.c index 62fbc0bf59..efc4603d52 100644 --- a/src/mod/applications/mod_commands/mod_commands.c +++ b/src/mod/applications/mod_commands/mod_commands.c @@ -4078,11 +4078,11 @@ SWITCH_STANDARD_API(show_function) holder.print_title = 0; if ((cmdname = strchr(command, ' ')) && strcasecmp(cmdname, "as")) { *cmdname++ = '\0'; - switch_snprintf(sql, sizeof(sql) - 1, - "select name, syntax, description, ikey from interfaces where hostname='%s' and type = 'api' and name = '%s' order by name", + switch_snprintfv(sql, sizeof(sql), + "select name, syntax, description, ikey from interfaces where hostname='%s' and type = 'api' and name = '%q' order by name", hostname, cmdname); } else { - switch_snprintf(sql, sizeof(sql) - 1, "select name, syntax, description, ikey from interfaces where hostname='%s' and type = 'api' order by name", hostname); + switch_snprintfv(sql, sizeof(sql), "select name, syntax, description, ikey from interfaces where hostname='%q' and type = 'api' order by name", hostname); } } else if (!strcasecmp(command, "nat_map")) { switch_snprintf(sql, sizeof(sql) - 1, diff --git a/src/mod/applications/mod_voicemail/mod_voicemail.c b/src/mod/applications/mod_voicemail/mod_voicemail.c index 3b12e7c7a1..16d3afa7e1 100644 --- a/src/mod/applications/mod_voicemail/mod_voicemail.c +++ b/src/mod/applications/mod_voicemail/mod_voicemail.c @@ -2016,10 +2016,10 @@ static void voicemail_check_main(switch_core_session_t *session, vm_profile_t *p "username='%s' and domain='%s' and flags='save'", (long) switch_epoch_time_now(NULL), myid, domain_name); vm_execute_sql(profile, sql, profile->mutex); - switch_snprintf(sql, sizeof(sql), "select file_path from voicemail_msgs where username='%s' and domain='%s' and flags='delete'", myid, + switch_snprintfv(sql, sizeof(sql), "select file_path from voicemail_msgs where username='%q' and domain='%q' and flags='delete'", myid, domain_name); vm_execute_sql_callback(profile, profile->mutex, sql, unlink_callback, NULL); - switch_snprintf(sql, sizeof(sql), "delete from voicemail_msgs where username='%s' and domain='%s' and flags='delete'", myid, domain_name); + switch_snprintfv(sql, sizeof(sql), "delete from voicemail_msgs where username='%q' and domain='%q' and flags='delete'", myid, domain_name); vm_execute_sql(profile, sql, profile->mutex); vm_check_state = VM_CHECK_FOLDER_SUMMARY; @@ -2305,7 +2305,7 @@ static void voicemail_check_main(switch_core_session_t *session, vm_profile_t *p } thepass = thehash = NULL; - switch_snprintf(sql, sizeof(sql), "select * from voicemail_prefs where username='%s' and domain='%s'", myid, domain_name); + switch_snprintfv(sql, sizeof(sql), "select * from voicemail_prefs where username='%q' and domain='%q'", myid, domain_name); vm_execute_sql_callback(profile, profile->mutex, sql, prefs_callback, &cbt); x_params = switch_xml_child(x_user, "variables"); @@ -3225,7 +3225,7 @@ static switch_status_t voicemail_leave_main(switch_core_session_t *session, vm_p goto end; } - switch_snprintf(sql, sizeof(sql), "select * from voicemail_prefs where username='%s' and domain='%s'", id, domain_name); + switch_snprintfv(sql, sizeof(sql), "select * from voicemail_prefs where username='%q' and domain='%q'", id, domain_name); vm_execute_sql_callback(profile, profile->mutex, sql, prefs_callback, &cbt); if (!vm_ext) { @@ -3327,7 +3327,7 @@ static switch_status_t voicemail_leave_main(switch_core_session_t *session, vm_p callback.buf = disk_usage; callback.len = sizeof(disk_usage); - switch_snprintf(sqlstmt, sizeof(sqlstmt), "select sum(message_len) from voicemail_msgs where username='%s' and domain='%s'", id, domain_name); + switch_snprintfv(sqlstmt, sizeof(sqlstmt), "select sum(message_len) from voicemail_msgs where username='%q' and domain='%q'", id, domain_name); vm_execute_sql_callback(profile, profile->mutex, sqlstmt, sql2str_callback, &callback); if (atoi(disk_usage) >= disk_quota) { @@ -3633,7 +3633,7 @@ SWITCH_STANDARD_API(prefs_api_function) } - switch_snprintf(sql, sizeof(sql), "select * from voicemail_prefs where username='%s' and domain='%s'", id, domain); + switch_snprintfv(sql, sizeof(sql), "select * from voicemail_prefs where username='%q' and domain='%q'", id, domain); vm_execute_sql_callback(profile, profile->mutex, sql, prefs_callback, &cbt); if (!strcasecmp(how, "greeting_path")) { diff --git a/src/mod/endpoints/mod_sofia/sofia_reg.c b/src/mod/endpoints/mod_sofia/sofia_reg.c index 253caf890c..a65c205b8f 100644 --- a/src/mod/endpoints/mod_sofia/sofia_reg.c +++ b/src/mod/endpoints/mod_sofia/sofia_reg.c @@ -676,10 +676,10 @@ void sofia_reg_check_expire(sofia_profile_t *profile, time_t now, int reboot) sofia_glue_execute_sql_callback(profile, NULL, sql, sofia_reg_del_callback, profile); if (now) { - switch_snprintf(sql, sizeof(sql), "delete from sip_registrations where expires > 0 and expires <= %ld and hostname='%s'", + switch_snprintfv(sql, sizeof(sql), "delete from sip_registrations where expires > 0 and expires <= %ld and hostname='%q'", (long) now, mod_sofia_globals.hostname); } else { - switch_snprintf(sql, sizeof(sql), "delete from sip_registrations where expires > 0 and hostname='%s'", mod_sofia_globals.hostname); + switch_snprintfv(sql, sizeof(sql), "delete from sip_registrations where expires > 0 and hostname='%q'", mod_sofia_globals.hostname); } sofia_glue_actually_execute_sql(profile, sql, NULL); @@ -687,11 +687,11 @@ void sofia_reg_check_expire(sofia_profile_t *profile, time_t now, int reboot) if (now) { - switch_snprintf(sql, sizeof(sql), "select call_id from sip_shared_appearance_dialogs where hostname='%s' " + switch_snprintfv(sql, sizeof(sql), "select call_id from sip_shared_appearance_dialogs where hostname='%q' " "and profile_name='%s' and expires <= %ld", mod_sofia_globals.hostname, profile->name, (long) now); sofia_glue_execute_sql_callback(profile, NULL, sql, sofia_sla_dialog_del_callback, profile); - switch_snprintf(sql, sizeof(sql), "delete from sip_shared_appearance_dialogs where expires > 0 and hostname='%s' and expires <= %ld", + switch_snprintfv(sql, sizeof(sql), "delete from sip_shared_appearance_dialogs where expires > 0 and hostname='%q' and expires <= %ld", mod_sofia_globals.hostname, (long) now); @@ -700,19 +700,19 @@ void sofia_reg_check_expire(sofia_profile_t *profile, time_t now, int reboot) if (now) { - switch_snprintf(sql, sizeof(sql), "delete from sip_presence where expires > 0 and expires <= %ld and hostname='%s'", + switch_snprintfv(sql, sizeof(sql), "delete from sip_presence where expires > 0 and expires <= %ld and hostname='%q'", (long) now, mod_sofia_globals.hostname); } else { - switch_snprintf(sql, sizeof(sql), "delete from sip_presence where expires > 0 and hostname='%s'", mod_sofia_globals.hostname); + switch_snprintfv(sql, sizeof(sql), "delete from sip_presence where expires > 0 and hostname='%q'", mod_sofia_globals.hostname); } sofia_glue_actually_execute_sql(profile, sql, NULL); if (now) { - switch_snprintf(sql, sizeof(sql), "delete from sip_authentication where expires > 0 and expires <= %ld and hostname='%s'", + switch_snprintfv(sql, sizeof(sql), "delete from sip_authentication where expires > 0 and expires <= %ld and hostname='%q'", (long) now, mod_sofia_globals.hostname); } else { - switch_snprintf(sql, sizeof(sql), "delete from sip_authentication where expires > 0 and hostname='%s'", mod_sofia_globals.hostname); + switch_snprintfv(sql, sizeof(sql), "delete from sip_authentication where expires > 0 and hostname='%q'", mod_sofia_globals.hostname); } sofia_glue_actually_execute_sql(profile, sql, NULL); @@ -722,27 +722,27 @@ void sofia_reg_check_expire(sofia_profile_t *profile, time_t now, int reboot) "select call_id from sip_subscriptions where (expires = -1 or (expires > 0 and expires <= %ld)) and hostname='%s'", (long) now, mod_sofia_globals.hostname); } else { - switch_snprintf(sql, sizeof(sql), "select sub_to_user,sub_to_host,call_id from sip_subscriptions where expires >= -1 and hostname='%s'", + switch_snprintfv(sql, sizeof(sql), "select sub_to_user,sub_to_host,call_id from sip_subscriptions where expires >= -1 and hostname='%q'", mod_sofia_globals.hostname); } sofia_glue_execute_sql_callback(profile, NULL, sql, sofia_sub_del_callback, profile); if (now) { - switch_snprintf(sql, sizeof(sql), "delete from sip_subscriptions where (expires = -1 or (expires > 0 and expires <= %ld)) and hostname='%s'", + switch_snprintfv(sql, sizeof(sql), "delete from sip_subscriptions where (expires = -1 or (expires > 0 and expires <= %ld)) and hostname='%q'", (long) now, mod_sofia_globals.hostname); } else { - switch_snprintf(sql, sizeof(sql), "delete from sip_subscriptions where expires >= -1 and hostname='%s'", mod_sofia_globals.hostname); + switch_snprintfv(sql, sizeof(sql), "delete from sip_subscriptions where expires >= -1 and hostname='%q'", mod_sofia_globals.hostname); } sofia_glue_actually_execute_sql(profile, sql, NULL); if (now) { - switch_snprintf(sql, sizeof(sql), "delete from sip_dialogs where (expires = -1 or (expires > 0 and expires <= %ld)) and hostname='%s'", + switch_snprintfv(sql, sizeof(sql), "delete from sip_dialogs where (expires = -1 or (expires > 0 and expires <= %ld)) and hostname='%q'", (long) now, mod_sofia_globals.hostname); } else { - switch_snprintf(sql, sizeof(sql), "delete from sip_dialogs where expires >= -1 and hostname='%s'", mod_sofia_globals.hostname); + switch_snprintfv(sql, sizeof(sql), "delete from sip_dialogs where expires >= -1 and hostname='%q'", mod_sofia_globals.hostname); } sofia_glue_actually_execute_sql(profile, sql, NULL); @@ -833,24 +833,24 @@ void sofia_reg_check_sync(sofia_profile_t *profile) sofia_glue_execute_sql_callback(profile, NULL, sql, sofia_reg_del_callback, profile); - switch_snprintf(sql, sizeof(sql), "delete from sip_registrations where expires > 0 and hostname='%s'", mod_sofia_globals.hostname); + switch_snprintfv(sql, sizeof(sql), "delete from sip_registrations where expires > 0 and hostname='%q'", mod_sofia_globals.hostname); sofia_glue_actually_execute_sql(profile, sql, NULL); - switch_snprintf(sql, sizeof(sql), "delete from sip_presence where expires > 0 and hostname='%s'", mod_sofia_globals.hostname); + switch_snprintfv(sql, sizeof(sql), "delete from sip_presence where expires > 0 and hostname='%q'", mod_sofia_globals.hostname); sofia_glue_actually_execute_sql(profile, sql, NULL); - switch_snprintf(sql, sizeof(sql), "delete from sip_authentication where expires > 0 and hostname='%s'", mod_sofia_globals.hostname); + switch_snprintfv(sql, sizeof(sql), "delete from sip_authentication where expires > 0 and hostname='%q'", mod_sofia_globals.hostname); sofia_glue_actually_execute_sql(profile, sql, NULL); - switch_snprintf(sql, sizeof(sql), "select sub_to_user,sub_to_host,call_id from sip_subscriptions where expires >= -1 and hostname='%s'", + switch_snprintfv(sql, sizeof(sql), "select sub_to_user,sub_to_host,call_id from sip_subscriptions where expires >= -1 and hostname='%q'", mod_sofia_globals.hostname); sofia_glue_execute_sql_callback(profile, NULL, sql, sofia_sub_del_callback, profile); - switch_snprintf(sql, sizeof(sql), "delete from sip_subscriptions where expires >= -1 and hostname='%s'", mod_sofia_globals.hostname); + switch_snprintfv(sql, sizeof(sql), "delete from sip_subscriptions where expires >= -1 and hostname='%q'", mod_sofia_globals.hostname); sofia_glue_actually_execute_sql(profile, sql, NULL); - switch_snprintf(sql, sizeof(sql), "delete from sip_dialogs where expires >= -1 and hostname='%s'", mod_sofia_globals.hostname); + switch_snprintfv(sql, sizeof(sql), "delete from sip_dialogs where expires >= -1 and hostname='%q'", mod_sofia_globals.hostname); sofia_glue_actually_execute_sql(profile, sql, NULL); switch_mutex_unlock(profile->ireg_mutex); @@ -871,10 +871,10 @@ char *sofia_reg_find_reg_url(sofia_profile_t *profile, const char *user, const c cbt.len = len; if (host) { - switch_snprintf(sql, sizeof(sql), "select contact from sip_registrations where sip_user='%s' and (sip_host='%s' or presence_hosts like '%%%s%%')", + switch_snprintfv(sql, sizeof(sql), "select contact from sip_registrations where sip_user='%q' and (sip_host='%q' or presence_hosts like '%%%q%%')", user, host, host); } else { - switch_snprintf(sql, sizeof(sql), "select contact from sip_registrations where sip_user='%s'", user); + switch_snprintfv(sql, sizeof(sql), "select contact from sip_registrations where sip_user='%q'", user); } @@ -900,10 +900,10 @@ switch_console_callback_match_t *sofia_reg_find_reg_url_multi(sofia_profile_t *p } if (host) { - switch_snprintf(sql, sizeof(sql), "select contact from sip_registrations where sip_user='%s' and (sip_host='%s' or presence_hosts like '%%%s%%')", + switch_snprintfv(sql, sizeof(sql), "select contact from sip_registrations where sip_user='%q' and (sip_host='%q' or presence_hosts like '%%%q%%')", user, host, host); } else { - switch_snprintf(sql, sizeof(sql), "select contact from sip_registrations where sip_user='%s'", user); + switch_snprintfv(sql, sizeof(sql), "select contact from sip_registrations where sip_user='%q'", user); } @@ -924,10 +924,10 @@ switch_console_callback_match_t *sofia_reg_find_reg_url_with_positive_expires_mu } if (host) { - switch_snprintf(sql, sizeof(sql), "select contact,expires from sip_registrations where sip_user='%s' and (sip_host='%s' or presence_hosts like '%%%s%%')", + switch_snprintfv(sql, sizeof(sql), "select contact,expires from sip_registrations where sip_user='%q' and (sip_host='%q' or presence_hosts like '%%%q%%')", user, host, host); } else { - switch_snprintf(sql, sizeof(sql), "select contact,expires from sip_registrations where sip_user='%s'", user); + switch_snprintfv(sql, sizeof(sql), "select contact,expires from sip_registrations where sip_user='%q'", user); } sofia_glue_execute_sql_callback(profile, profile->ireg_mutex, sql, sofia_reg_find_reg_with_positive_expires_callback, &cbt); diff --git a/src/switch_core_sqldb.c b/src/switch_core_sqldb.c index f85f4b3d8c..90112aeb4e 100644 --- a/src/switch_core_sqldb.c +++ b/src/switch_core_sqldb.c @@ -733,7 +733,7 @@ SWITCH_DECLARE(switch_status_t) switch_cache_db_persistant_execute_trans(switch_ if ((result = switch_odbc_SQLSetAutoCommitAttr(dbh->native_handle.odbc_dbh, 0)) != SWITCH_ODBC_SUCCESS) { char tmp[100]; - switch_snprintf(tmp, sizeof(tmp), "%s-%i", "Unable to Set AutoCommit Off", result); + switch_snprintfv(tmp, sizeof(tmp), "%q-%i", "Unable to Set AutoCommit Off", result); errmsg = strdup(tmp); } } @@ -1144,7 +1144,7 @@ static char *parse_presence_data_cols(switch_event_t *event) SWITCH_STANDARD_STREAM(stream); for (i = 0; i < col_count; i++) { - switch_snprintf(col_name, sizeof(col_name), "variable_%s", cols[i]); + switch_snprintfv(col_name, sizeof(col_name), "variable_%q", cols[i]); stream.write_function(&stream, "%q='%q',", cols[i], switch_event_get_header_nil(event, col_name)); } @@ -1906,7 +1906,7 @@ switch_status_t switch_core_sqldb_start(switch_memory_pool_t *pool, switch_bool_ const char *hostname = switch_core_get_switchname(); for (i = 0; tables[i]; i++) { - switch_snprintf(sql, sizeof(sql), "delete from %s where hostname='%s'", tables[i], hostname); + switch_snprintfv(sql, sizeof(sql), "delete from %q where hostname='%q'", tables[i], hostname); switch_cache_db_execute_sql(dbh, sql, NULL); } }