From 9cfd891fb981a2a4241e24c4f3c4b5519eceda48 Mon Sep 17 00:00:00 2001 From: marc tobias Date: Tue, 5 Nov 2019 23:50:46 +0100 Subject: [PATCH] setup: escape arguments when executing shell commands (psql, createdb) --- lib/DB.php | 2 +- lib/cmd.php | 8 ++++-- lib/setup/SetupClass.php | 61 +++++++++++++++++++++++----------------- 3 files changed, 41 insertions(+), 30 deletions(-) diff --git a/lib/DB.php b/lib/DB.php index 51fd49fc..ddc0932c 100644 --- a/lib/DB.php +++ b/lib/DB.php @@ -284,7 +284,7 @@ class DB { // https://secure.php.net/manual/en/ref.pdo-pgsql.connection.php $aInfo = array(); - if (preg_match('/^pgsql:(.+)/', $sDSN, $aMatches)) { + if (preg_match('/^pgsql:(.+)$/', $sDSN, $aMatches)) { foreach (explode(';', $aMatches[1]) as $sKeyVal) { list($sKey, $sVal) = explode('=', $sKeyVal, 2); if ($sKey == 'host') $sKey = 'hostspec'; diff --git a/lib/cmd.php b/lib/cmd.php index 32fdc857..77878c15 100644 --- a/lib/cmd.php +++ b/lib/cmd.php @@ -148,12 +148,14 @@ function runSQLScript($sScript, $bfatal = true, $bVerbose = false, $bIgnoreError // Convert database DSN to psql parameters $aDSNInfo = \Nominatim\DB::parseDSN(CONST_Database_DSN); if (!isset($aDSNInfo['port']) || !$aDSNInfo['port']) $aDSNInfo['port'] = 5432; - $sCMD = 'psql -p '.$aDSNInfo['port'].' -d '.$aDSNInfo['database']; + $sCMD = 'psql' + .' -p '.escapeshellarg($aDSNInfo['port']) + .' -d '.escapeshellarg($aDSNInfo['database']); if (isset($aDSNInfo['hostspec']) && $aDSNInfo['hostspec']) { - $sCMD .= ' -h ' . $aDSNInfo['hostspec']; + $sCMD .= ' -h ' . escapeshellarg($aDSNInfo['hostspec']); } if (isset($aDSNInfo['username']) && $aDSNInfo['username']) { - $sCMD .= ' -U ' . $aDSNInfo['username']; + $sCMD .= ' -U ' . escapeshellarg($aDSNInfo['username']); } $aProcEnv = null; if (isset($aDSNInfo['password']) && $aDSNInfo['password']) { diff --git a/lib/setup/SetupClass.php b/lib/setup/SetupClass.php index b6705968..b8070e4a 100755 --- a/lib/setup/SetupClass.php +++ b/lib/setup/SetupClass.php @@ -80,13 +80,15 @@ class SetupFunctions fail('database already exists ('.CONST_Database_DSN.')'); } - $sCreateDBCmd = 'createdb -E UTF-8 -p '.$this->aDSNInfo['port'].' '.$this->aDSNInfo['database']; + $sCreateDBCmd = 'createdb -E UTF-8' + .' -p '.escapeshellarg($this->aDSNInfo['port']) + .' '.escapeshellarg($this->aDSNInfo['database']); if (isset($this->aDSNInfo['username'])) { - $sCreateDBCmd .= ' -U '.$this->aDSNInfo['username']; + $sCreateDBCmd .= ' -U '.escapeshellarg($this->aDSNInfo['username']); } if (isset($this->aDSNInfo['hostspec'])) { - $sCreateDBCmd .= ' -h '.$this->aDSNInfo['hostspec']; + $sCreateDBCmd .= ' -h '.escapeshellarg($this->aDSNInfo['hostspec']); } $result = $this->runWithPgEnv($sCreateDBCmd); @@ -178,30 +180,30 @@ class SetupFunctions fail("osm2pgsql not found in '$osm2pgsql'"); } - $osm2pgsql .= ' -S '.CONST_Import_Style; + $osm2pgsql .= ' -S '.escapeshellarg(CONST_Import_Style); if (!is_null(CONST_Osm2pgsql_Flatnode_File) && CONST_Osm2pgsql_Flatnode_File) { - $osm2pgsql .= ' --flat-nodes '.CONST_Osm2pgsql_Flatnode_File; + $osm2pgsql .= ' --flat-nodes '.escapeshellarg(CONST_Osm2pgsql_Flatnode_File); } if (CONST_Tablespace_Osm2pgsql_Data) - $osm2pgsql .= ' --tablespace-slim-data '.CONST_Tablespace_Osm2pgsql_Data; + $osm2pgsql .= ' --tablespace-slim-data '.escapeshellarg(CONST_Tablespace_Osm2pgsql_Data); if (CONST_Tablespace_Osm2pgsql_Index) - $osm2pgsql .= ' --tablespace-slim-index '.CONST_Tablespace_Osm2pgsql_Index; + $osm2pgsql .= ' --tablespace-slim-index '.escapeshellarg(CONST_Tablespace_Osm2pgsql_Index); if (CONST_Tablespace_Place_Data) - $osm2pgsql .= ' --tablespace-main-data '.CONST_Tablespace_Place_Data; + $osm2pgsql .= ' --tablespace-main-data '.escapeshellarg(CONST_Tablespace_Place_Data); if (CONST_Tablespace_Place_Index) - $osm2pgsql .= ' --tablespace-main-index '.CONST_Tablespace_Place_Index; + $osm2pgsql .= ' --tablespace-main-index '.escapeshellarg(CONST_Tablespace_Place_Index); $osm2pgsql .= ' -lsc -O gazetteer --hstore --number-processes 1'; - $osm2pgsql .= ' -C '.$this->iCacheMemory; - $osm2pgsql .= ' -P '.$this->aDSNInfo['port']; + $osm2pgsql .= ' -C '.escapeshellarg($this->iCacheMemory); + $osm2pgsql .= ' -P '.escapeshellarg($this->aDSNInfo['port']); if (isset($this->aDSNInfo['username'])) { - $osm2pgsql .= ' -U '.$this->aDSNInfo['username']; + $osm2pgsql .= ' -U '.escapeshellarg($this->aDSNInfo['username']); } if (isset($this->aDSNInfo['hostspec'])) { - $osm2pgsql .= ' -H '.$this->aDSNInfo['hostspec']; + $osm2pgsql .= ' -H '.escapeshellarg($this->aDSNInfo['hostspec']); } - $osm2pgsql .= ' -d '.$this->aDSNInfo['database'].' '.$sOSMFile; + $osm2pgsql .= ' -d '.escapeshellarg($this->aDSNInfo['database']).' '.escapeshellarg($sOSMFile); $this->runWithPgEnv($osm2pgsql); @@ -595,13 +597,15 @@ class SetupFunctions public function index($bIndexNoanalyse) { $sOutputFile = ''; - $sBaseCmd = CONST_InstallPath.'/nominatim/nominatim -i -d '.$this->aDSNInfo['database'].' -P ' - .$this->aDSNInfo['port'].' -t '.$this->iInstances.$sOutputFile; + $sBaseCmd = CONST_InstallPath.'/nominatim/nominatim -i' + .' -d '.escapeshellarg($this->aDSNInfo['database']) + .' -P '.escapeshellarg($this->aDSNInfo['port']) + .' -t '.escapeshellarg($this->iInstances.$sOutputFile); if (isset($this->aDSNInfo['hostspec'])) { - $sBaseCmd .= ' -H '.$this->aDSNInfo['hostspec']; + $sBaseCmd .= ' -H '.escapeshellarg($this->aDSNInfo['hostspec']); } if (isset($this->aDSNInfo['username'])) { - $sBaseCmd .= ' -U '.$this->aDSNInfo['username']; + $sBaseCmd .= ' -U '.escapeshellarg($this->aDSNInfo['username']); } info('Index ranks 0 - 4'); @@ -740,15 +744,18 @@ class SetupFunctions private function pgsqlRunDropAndRestore($sDumpFile) { - $sCMD = 'pg_restore -p '.$this->aDSNInfo['port'].' -d '.$this->aDSNInfo['database'].' --no-owner -Fc --clean '.$sDumpFile; + $sCMD = 'pg_restore' + .' -p '.escapeshellarg($this->aDSNInfo['port']) + .' -d '.escapeshellarg($this->aDSNInfo['database']) + .' --no-owner -Fc --clean '.escapeshellarg($sDumpFile); if ($this->oDB->getPostgresVersion() >= 9.04) { $sCMD .= ' --if-exists'; } if (isset($this->aDSNInfo['hostspec'])) { - $sCMD .= ' -h '.$this->aDSNInfo['hostspec']; + $sCMD .= ' -h '.escapeshellarg($this->aDSNInfo['hostspec']); } if (isset($this->aDSNInfo['username'])) { - $sCMD .= ' -U '.$this->aDSNInfo['username']; + $sCMD .= ' -U '.escapeshellarg($this->aDSNInfo['username']); } $this->runWithPgEnv($sCMD); @@ -812,15 +819,17 @@ class SetupFunctions { if (!file_exists($sFilename)) fail('unable to find '.$sFilename); - $sCMD = 'psql -p '.$this->aDSNInfo['port'].' -d '.$this->aDSNInfo['database']; + $sCMD = 'psql' + .' -p '.escapeshellarg($this->aDSNInfo['port']) + .' -d '.escapeshellarg($this->aDSNInfo['database']); if (!$this->bVerbose) { $sCMD .= ' -q'; } if (isset($this->aDSNInfo['hostspec'])) { - $sCMD .= ' -h '.$this->aDSNInfo['hostspec']; + $sCMD .= ' -h '.escapeshellarg($this->aDSNInfo['hostspec']); } if (isset($this->aDSNInfo['username'])) { - $sCMD .= ' -U '.$this->aDSNInfo['username']; + $sCMD .= ' -U '.escapeshellarg($this->aDSNInfo['username']); } $aProcEnv = null; if (isset($this->aDSNInfo['password'])) { @@ -833,12 +842,12 @@ class SetupFunctions 1 => array('pipe', 'w'), 2 => array('file', '/dev/null', 'a') ); - $hGzipProcess = proc_open('zcat '.$sFilename, $aDescriptors, $ahGzipPipes); + $hGzipProcess = proc_open('zcat '.escapeshellarg($sFilename), $aDescriptors, $ahGzipPipes); if (!is_resource($hGzipProcess)) fail('unable to start zcat'); $aReadPipe = $ahGzipPipes[1]; fclose($ahGzipPipes[0]); } else { - $sCMD .= ' -f '.$sFilename; + $sCMD .= ' -f '.escapeshellarg($sFilename); $aReadPipe = array('pipe', 'r'); } $aDescriptors = array( -- 2.39.5