Akopia Akopia Services
[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: [mv] Userdb password security/ Security ?

Quoting Mike Heins (mike@minivend.com):
> I will put some sort of solution in MiniVend 4, and probably issue
> a patch for 3.
> 

As I discussed, there is a new directive:

	NoSearch   ^userdb*

That is the default value. If you put other tablename (with dos-ish 
wildcards, i.e. ^secret_table* will match secret_table, secret_table_2,
etc)  

The value must be set in toto every time, i.e. it is not incremental.

MV3 SQL security will lag far behind, for there is no real way to parse
that out of mv_sql_query. MV4 should handle that.

To temporarily disable this in MiniVend 4, you can do:

	$Config->{NoSearch} = '';

Next server that is forked should have the original value, but that means
it will be persistent in Windows, so you should save and set it back. 8-\
I will probably add it to the list of things that get shadowed, so the Windows
condition will be temporary.

Patches are attached for both MV4 alpha 10 and minivend-3.14-4.

-- 
Mike Heins                          http://www.minivend.com/  ___ 
                                    Internet Robotics        |_ _|____
Few blame themselves until they     131 Willow Lane, Floor 2  | ||  _ \
have exhausted all other            Oxford, OH  45056         | || |_) |
possibilities.                      <mikeh@minivend.com>     |___|  _ <
 -- anonymous                       513.523.7621 FAX 7501        |_| \_\

diff -b -xRCS -I # Copyright\|$Id:\|__MVC_\|^ *$VERSION *=\|^[ 	]*$[A-z_:]*VendRoot\|^ *(#define\|^#*::log|^#!/ -r -c /r/Config.pm /rt/Config.pm
*** /r/Config.pm	Mon Jan 10 23:28:35 2000
--- /rt/Config.pm	Tue Jan 25 02:05:43 2000
***************
*** 331,336 ****
--- 331,337 ----
  	['DirectiveDatabase', undef,             ''],
  	['VariableDatabase',  undef,         	 ''],
      ['RequiredFields',   undef,              ''],
+     ['NoSearch',         'wildcard',         'userdb'],
      ['OrderCounter',	 undef,     	     ''],
      ['ImageAlias',	 	 'hash',     	     ''],
      ['Filter',		 	 'hash',     	     ''],
***************
*** 1591,1596 ****
--- 1592,1617 ----
  
  	$c;
  }
+ 
+ # Make a dos-ish regex into a Perl regex, check for errors
+ sub parse_wildcard {
+     my($var, $value) = @_;
+ 
+ 	$value =~ s/\./\\./g;
+ 	$value =~ s/\*/.*/g;
+ 	$value =~ s/\*/.*/g;
+ 	$value =~ s/\s+/|/g;
+ 	eval {  
+ 		my $never = 'NeVAirBE';
+ 		$never =~ m{$value};
+ 	};
+ 
+ 	if($@) {
+ 		config_error("Bad regular expression in $var.");
+ 	}
+     return $value;
+ }
+ 
  
  # Check that a regex won't cause a syntax error. Uses m{}, which
  # should be used for all user-input regexes.
diff -b -xRCS -I # Copyright\|$Id:\|__MVC_\|^ *$VERSION *=\|^[ 	]*$[A-z_:]*VendRoot\|^ *(#define\|^#*::log|^#!/ -r -c /r/Scan.pm /rt/Scan.pm
*** /r/Scan.pm	Sun Jan 16 15:14:59 2000
--- /rt/Scan.pm	Tue Jan 25 01:53:45 2000
***************
*** 877,882 ****
--- 877,884 ----
  			$_ = $Vend::Cfg->{Database}{$_}{'file'}
  				if defined $Vend::Cfg->{Database}{$_}{'file'};
  		}
+ 		$ok &&= $_ !~ /$Vend::Cfg->{NoSearch}/
+ 			if $Vend::Cfg->{NoSearch};
          push @$passed, $_ if $ok;
      }
      return $passed if @$passed;

diff -b -xRCS -I # Copyright\|$Id:\|__MVC_\|^ *$VERSION *=\|^[ 	]*$[A-z_:]*VendRoot\|^ *(#define\|^#*::log|^#!/ -r -c -c minivend-3.14-4/lib/Vend/Config.pm minivend-3.14-5/lib/Vend/Config.pm
*** minivend-3.14-4/lib/Vend/Config.pm	Sun Aug 22 06:36:03 1999
--- minivend-3.14-5/lib/Vend/Config.pm	Tue Jan 25 02:03:57 2000
***************
*** 177,182 ****
--- 177,183 ----
                                                    $r } ],
  	['MailErrorTo',		  undef,			 'webmaster'],
  	['NoAbsolute',		 'yesno',			 'No'],
+ 	['NoSearch',         'wildcard',         '^userdb'],
  	['AllowGlobal',		 'boolean',			 '_mv_admin'],
  	['AddDirective',	 'directive',		 ''],
  	['UserTag',			 'tag',				 ''],
***************
*** 1334,1339 ****
--- 1335,1359 ----
  	if $value !~ m.^/.;
      $value =~ s./$..;
      $value;
+ }
+ 
+ # Make a dos-ish regex into a Perl regex, check for errors
+ sub parse_wildcard {
+     my($var, $value) = @_;
+ 
+ 	$value =~ s/\./\\./g;
+ 	$value =~ s/\*/.*/g;
+ 	$value =~ s/\*/.*/g;
+ 	$value =~ s/\s+/|/g;
+ 	eval {
+ 	  my $never = 'NeVAirBE';
+ 	  $never =~ m{$value};
+ 	};
+ 
+ 	if($@) {
+ 	  config_error("Bad regular expression in $var.");
+ 	}
+ 	return $value;
  }
  
  # Check that a regex won't cause a syntax error. Uses m{}, which
diff -b -xRCS -I # Copyright\|$Id:\|__MVC_\|^ *$VERSION *=\|^[ 	]*$[A-z_:]*VendRoot\|^ *(#define\|^#*::log|^#!/ -r -c -c minivend-3.14-4/lib/Vend/Scan.pm minivend-3.14-5/lib/Vend/Scan.pm
*** minivend-3.14-4/lib/Vend/Scan.pm	Mon Jun  7 04:10:11 1999
--- minivend-3.14-5/lib/Vend/Scan.pm	Tue Jan 25 02:01:09 2000
***************
*** 1245,1250 ****
--- 1245,1252 ----
  			$_ = $Vend::Cfg->{Database}{$_}{'file'}
  				if defined $Vend::Cfg->{Database}{$_}{'file'};
  		}
+ 		$ok &&= $_ !~ /$Vend::Cfg->{NoSearch}/
+ 		    if $Vend::Cfg->{NoSearch};
          push @$passed, $_ if $ok;
      }
      return $passed if @$passed;
Search for: Match: Format: Sort by: