setup: escape arguments when executing shell commands (psql, createdb)

diff --git a/lib/DB.php b/lib/DB.php
index 51fd49fc228329c87e0055a0741d529f20bb1aa2..ddc0932c871e123214e3d373b7a33e9abcaa193a 100644 (file)
--- a/lib/DB.php
+++ b/lib/DB.php
@@ -284,7 +284,7 @@ class DB
     {
         // https://secure.php.net/manual/en/ref.pdo-pgsql.connection.php
         $aInfo = array();
     {
         // https://secure.php.net/manual/en/ref.pdo-pgsql.connection.php
         $aInfo = array();

-        if (preg_match('/^pgsql:(.+)/', $sDSN, $aMatches)) {
+        if (preg_match('/^pgsql:(.+)$/', $sDSN, $aMatches)) {

             foreach (explode(';', $aMatches[1]) as $sKeyVal) {
                 list($sKey, $sVal) = explode('=', $sKeyVal, 2);
                 if ($sKey == 'host') $sKey = 'hostspec';
             foreach (explode(';', $aMatches[1]) as $sKeyVal) {
                 list($sKey, $sVal) = explode('=', $sKeyVal, 2);
                 if ($sKey == 'host') $sKey = 'hostspec';

diff --git a/lib/cmd.php b/lib/cmd.php
index 32fdc8576de70157382e2733f3875a0ac5d728e3..77878c153c73f90440fcbf532413c68ca13dab40 100644 (file)
--- a/lib/cmd.php
+++ b/lib/cmd.php
@@ -148,12 +148,14 @@ function runSQLScript($sScript, $bfatal = true, $bVerbose = false, $bIgnoreError
     // Convert database DSN to psql parameters
     $aDSNInfo = \Nominatim\DB::parseDSN(CONST_Database_DSN);
     if (!isset($aDSNInfo['port']) || !$aDSNInfo['port']) $aDSNInfo['port'] = 5432;
     // Convert database DSN to psql parameters
     $aDSNInfo = \Nominatim\DB::parseDSN(CONST_Database_DSN);
     if (!isset($aDSNInfo['port']) || !$aDSNInfo['port']) $aDSNInfo['port'] = 5432;

-    $sCMD = 'psql -p '.$aDSNInfo['port'].' -d '.$aDSNInfo['database'];
+    $sCMD = 'psql'
+        .' -p '.escapeshellarg($aDSNInfo['port'])
+        .' -d '.escapeshellarg($aDSNInfo['database']);

     if (isset($aDSNInfo['hostspec']) && $aDSNInfo['hostspec']) {
     if (isset($aDSNInfo['hostspec']) && $aDSNInfo['hostspec']) {

-        $sCMD .= ' -h ' . $aDSNInfo['hostspec'];
+        $sCMD .= ' -h ' . escapeshellarg($aDSNInfo['hostspec']);

     }
     if (isset($aDSNInfo['username']) && $aDSNInfo['username']) {
     }
     if (isset($aDSNInfo['username']) && $aDSNInfo['username']) {

-        $sCMD .= ' -U ' . $aDSNInfo['username'];
+        $sCMD .= ' -U ' . escapeshellarg($aDSNInfo['username']);

     }
     $aProcEnv = null;
     if (isset($aDSNInfo['password']) && $aDSNInfo['password']) {
     }
     $aProcEnv = null;
     if (isset($aDSNInfo['password']) && $aDSNInfo['password']) {

diff --git a/lib/setup/SetupClass.php b/lib/setup/SetupClass.php
index b6705968752abdecd81a06b8682072b1b44d7dea..b8070e4a2d326255497a979d6ee2b1e5ccac0e0d 100755 (executable)
--- a/lib/setup/SetupClass.php
+++ b/lib/setup/SetupClass.php
@@ -80,13 +80,15 @@ class SetupFunctions
             fail('database already exists ('.CONST_Database_DSN.')');
         }
 
             fail('database already exists ('.CONST_Database_DSN.')');
         }
 

-        $sCreateDBCmd = 'createdb -E UTF-8 -p '.$this->aDSNInfo['port'].' '.$this->aDSNInfo['database'];
+        $sCreateDBCmd = 'createdb -E UTF-8'
+            .' -p '.escapeshellarg($this->aDSNInfo['port'])
+            .' '.escapeshellarg($this->aDSNInfo['database']);

         if (isset($this->aDSNInfo['username'])) {
         if (isset($this->aDSNInfo['username'])) {

-            $sCreateDBCmd .= ' -U '.$this->aDSNInfo['username'];
+            $sCreateDBCmd .= ' -U '.escapeshellarg($this->aDSNInfo['username']);

         }
 
         if (isset($this->aDSNInfo['hostspec'])) {
         }
 
         if (isset($this->aDSNInfo['hostspec'])) {

-            $sCreateDBCmd .= ' -h '.$this->aDSNInfo['hostspec'];
+            $sCreateDBCmd .= ' -h '.escapeshellarg($this->aDSNInfo['hostspec']);

         }
 
         $result = $this->runWithPgEnv($sCreateDBCmd);
         }
 
         $result = $this->runWithPgEnv($sCreateDBCmd);


@@ -178,30 +180,30 @@ class SetupFunctions
             fail("osm2pgsql not found in '$osm2pgsql'");
         }
 
             fail("osm2pgsql not found in '$osm2pgsql'");
         }
 

-        $osm2pgsql .= ' -S '.CONST_Import_Style;
+        $osm2pgsql .= ' -S '.escapeshellarg(CONST_Import_Style);

 
         if (!is_null(CONST_Osm2pgsql_Flatnode_File) && CONST_Osm2pgsql_Flatnode_File) {
 
         if (!is_null(CONST_Osm2pgsql_Flatnode_File) && CONST_Osm2pgsql_Flatnode_File) {

-            $osm2pgsql .= ' --flat-nodes '.CONST_Osm2pgsql_Flatnode_File;
+            $osm2pgsql .= ' --flat-nodes '.escapeshellarg(CONST_Osm2pgsql_Flatnode_File);

         }
 
         if (CONST_Tablespace_Osm2pgsql_Data)
         }
 
         if (CONST_Tablespace_Osm2pgsql_Data)

-            $osm2pgsql .= ' --tablespace-slim-data '.CONST_Tablespace_Osm2pgsql_Data;
+            $osm2pgsql .= ' --tablespace-slim-data '.escapeshellarg(CONST_Tablespace_Osm2pgsql_Data);

         if (CONST_Tablespace_Osm2pgsql_Index)
         if (CONST_Tablespace_Osm2pgsql_Index)

-            $osm2pgsql .= ' --tablespace-slim-index '.CONST_Tablespace_Osm2pgsql_Index;
+            $osm2pgsql .= ' --tablespace-slim-index '.escapeshellarg(CONST_Tablespace_Osm2pgsql_Index);

         if (CONST_Tablespace_Place_Data)
         if (CONST_Tablespace_Place_Data)

-            $osm2pgsql .= ' --tablespace-main-data '.CONST_Tablespace_Place_Data;
+            $osm2pgsql .= ' --tablespace-main-data '.escapeshellarg(CONST_Tablespace_Place_Data);

         if (CONST_Tablespace_Place_Index)
         if (CONST_Tablespace_Place_Index)

-            $osm2pgsql .= ' --tablespace-main-index '.CONST_Tablespace_Place_Index;
+            $osm2pgsql .= ' --tablespace-main-index '.escapeshellarg(CONST_Tablespace_Place_Index);

         $osm2pgsql .= ' -lsc -O gazetteer --hstore --number-processes 1';
         $osm2pgsql .= ' -lsc -O gazetteer --hstore --number-processes 1';

-        $osm2pgsql .= ' -C '.$this->iCacheMemory;
-        $osm2pgsql .= ' -P '.$this->aDSNInfo['port'];
+        $osm2pgsql .= ' -C '.escapeshellarg($this->iCacheMemory);
+        $osm2pgsql .= ' -P '.escapeshellarg($this->aDSNInfo['port']);

         if (isset($this->aDSNInfo['username'])) {
         if (isset($this->aDSNInfo['username'])) {

-            $osm2pgsql .= ' -U '.$this->aDSNInfo['username'];
+            $osm2pgsql .= ' -U '.escapeshellarg($this->aDSNInfo['username']);

         }
         if (isset($this->aDSNInfo['hostspec'])) {
         }
         if (isset($this->aDSNInfo['hostspec'])) {

-            $osm2pgsql .= ' -H '.$this->aDSNInfo['hostspec'];
+            $osm2pgsql .= ' -H '.escapeshellarg($this->aDSNInfo['hostspec']);

         }
         }

-        $osm2pgsql .= ' -d '.$this->aDSNInfo['database'].' '.$sOSMFile;
+        $osm2pgsql .= ' -d '.escapeshellarg($this->aDSNInfo['database']).' '.escapeshellarg($sOSMFile);

 
         $this->runWithPgEnv($osm2pgsql);
 
 
         $this->runWithPgEnv($osm2pgsql);
 


@@ -595,13 +597,15 @@ class SetupFunctions
     public function index($bIndexNoanalyse)
     {
         $sOutputFile = '';
     public function index($bIndexNoanalyse)
     {
         $sOutputFile = '';

-        $sBaseCmd = CONST_InstallPath.'/nominatim/nominatim -i -d '.$this->aDSNInfo['database'].' -P '
-            .$this->aDSNInfo['port'].' -t '.$this->iInstances.$sOutputFile;
+        $sBaseCmd = CONST_InstallPath.'/nominatim/nominatim -i'
+            .' -d '.escapeshellarg($this->aDSNInfo['database'])
+            .' -P '.escapeshellarg($this->aDSNInfo['port'])
+            .' -t '.escapeshellarg($this->iInstances.$sOutputFile);

         if (isset($this->aDSNInfo['hostspec'])) {
         if (isset($this->aDSNInfo['hostspec'])) {

-            $sBaseCmd .= ' -H '.$this->aDSNInfo['hostspec'];
+            $sBaseCmd .= ' -H '.escapeshellarg($this->aDSNInfo['hostspec']);

         }
         if (isset($this->aDSNInfo['username'])) {
         }
         if (isset($this->aDSNInfo['username'])) {

-            $sBaseCmd .= ' -U '.$this->aDSNInfo['username'];
+            $sBaseCmd .= ' -U '.escapeshellarg($this->aDSNInfo['username']);

         }
 
         info('Index ranks 0 - 4');
         }
 
         info('Index ranks 0 - 4');


@@ -740,15 +744,18 @@ class SetupFunctions
 
     private function pgsqlRunDropAndRestore($sDumpFile)
     {
 
     private function pgsqlRunDropAndRestore($sDumpFile)
     {

-        $sCMD = 'pg_restore -p '.$this->aDSNInfo['port'].' -d '.$this->aDSNInfo['database'].' --no-owner -Fc --clean '.$sDumpFile;
+        $sCMD = 'pg_restore'
+            .' -p '.escapeshellarg($this->aDSNInfo['port'])
+            .' -d '.escapeshellarg($this->aDSNInfo['database'])
+            .' --no-owner -Fc --clean '.escapeshellarg($sDumpFile);

         if ($this->oDB->getPostgresVersion() >= 9.04) {
             $sCMD .= ' --if-exists';
         }
         if (isset($this->aDSNInfo['hostspec'])) {
         if ($this->oDB->getPostgresVersion() >= 9.04) {
             $sCMD .= ' --if-exists';
         }
         if (isset($this->aDSNInfo['hostspec'])) {

-            $sCMD .= ' -h '.$this->aDSNInfo['hostspec'];
+            $sCMD .= ' -h '.escapeshellarg($this->aDSNInfo['hostspec']);

         }
         if (isset($this->aDSNInfo['username'])) {
         }
         if (isset($this->aDSNInfo['username'])) {

-            $sCMD .= ' -U '.$this->aDSNInfo['username'];
+            $sCMD .= ' -U '.escapeshellarg($this->aDSNInfo['username']);

         }
 
         $this->runWithPgEnv($sCMD);
         }
 
         $this->runWithPgEnv($sCMD);


@@ -812,15 +819,17 @@ class SetupFunctions
     {
         if (!file_exists($sFilename)) fail('unable to find '.$sFilename);
 
     {
         if (!file_exists($sFilename)) fail('unable to find '.$sFilename);
 

-        $sCMD = 'psql -p '.$this->aDSNInfo['port'].' -d '.$this->aDSNInfo['database'];
+        $sCMD = 'psql'
+            .' -p '.escapeshellarg($this->aDSNInfo['port'])
+            .' -d '.escapeshellarg($this->aDSNInfo['database']);

         if (!$this->bVerbose) {
             $sCMD .= ' -q';
         }
         if (isset($this->aDSNInfo['hostspec'])) {
         if (!$this->bVerbose) {
             $sCMD .= ' -q';
         }
         if (isset($this->aDSNInfo['hostspec'])) {

-            $sCMD .= ' -h '.$this->aDSNInfo['hostspec'];
+            $sCMD .= ' -h '.escapeshellarg($this->aDSNInfo['hostspec']);

         }
         if (isset($this->aDSNInfo['username'])) {
         }
         if (isset($this->aDSNInfo['username'])) {

-            $sCMD .= ' -U '.$this->aDSNInfo['username'];
+            $sCMD .= ' -U '.escapeshellarg($this->aDSNInfo['username']);

         }
         $aProcEnv = null;
         if (isset($this->aDSNInfo['password'])) {
         }
         $aProcEnv = null;
         if (isset($this->aDSNInfo['password'])) {


@@ -833,12 +842,12 @@ class SetupFunctions
                              1 => array('pipe', 'w'),
                              2 => array('file', '/dev/null', 'a')
                             );
                              1 => array('pipe', 'w'),
                              2 => array('file', '/dev/null', 'a')
                             );

-            $hGzipProcess = proc_open('zcat '.$sFilename, $aDescriptors, $ahGzipPipes);
+            $hGzipProcess = proc_open('zcat '.escapeshellarg($sFilename), $aDescriptors, $ahGzipPipes);

             if (!is_resource($hGzipProcess)) fail('unable to start zcat');
             $aReadPipe = $ahGzipPipes[1];
             fclose($ahGzipPipes[0]);
         } else {
             if (!is_resource($hGzipProcess)) fail('unable to start zcat');
             $aReadPipe = $ahGzipPipes[1];
             fclose($ahGzipPipes[0]);
         } else {

-            $sCMD .= ' -f '.$sFilename;
+            $sCMD .= ' -f '.escapeshellarg($sFilename);

             $aReadPipe = array('pipe', 'r');
         }
         $aDescriptors = array(
             $aReadPipe = array('pipe', 'r');
         }
         $aDescriptors = array(