- more injection
- less static calls - use params on sql queries - handle sql exception on database and user creation gracefully
This commit is contained in:
parent
114f128fc3
commit
c3cac887f5
|
@ -61,7 +61,10 @@ class Install extends Command {
|
||||||
protected function execute(InputInterface $input, OutputInterface $output) {
|
protected function execute(InputInterface $input, OutputInterface $output) {
|
||||||
|
|
||||||
// validate the environment
|
// validate the environment
|
||||||
$setupHelper = new Setup($this->config, \OC::$server->getIniWrapper(), \OC::$server->getL10N('lib'), new \OC_Defaults());
|
$server = \OC::$server;
|
||||||
|
$setupHelper = new Setup($this->config, $server->getIniWrapper(),
|
||||||
|
$server->getL10N('lib'), new \OC_Defaults(), $server->getLogger(),
|
||||||
|
$server->getSecureRandom());
|
||||||
$sysInfo = $setupHelper->getSystemInfo(true);
|
$sysInfo = $setupHelper->getSystemInfo(true);
|
||||||
$errors = $sysInfo['errors'];
|
$errors = $sysInfo['errors'];
|
||||||
if (count($errors) > 0) {
|
if (count($errors) > 0) {
|
||||||
|
|
|
@ -835,7 +835,9 @@ class OC {
|
||||||
// Check if ownCloud is installed or in maintenance (update) mode
|
// Check if ownCloud is installed or in maintenance (update) mode
|
||||||
if (!$systemConfig->getValue('installed', false)) {
|
if (!$systemConfig->getValue('installed', false)) {
|
||||||
\OC::$server->getSession()->clear();
|
\OC::$server->getSession()->clear();
|
||||||
$setupHelper = new OC\Setup(\OC::$server->getConfig(), \OC::$server->getIniWrapper(), \OC::$server->getL10N('lib'), new \OC_Defaults());
|
$setupHelper = new OC\Setup(\OC::$server->getConfig(), \OC::$server->getIniWrapper(),
|
||||||
|
\OC::$server->getL10N('lib'), new \OC_Defaults(), \OC::$server->getLogger(),
|
||||||
|
\OC::$server->getSecureRandom());
|
||||||
$controller = new OC\Core\Setup\Controller($setupHelper);
|
$controller = new OC\Core\Setup\Controller($setupHelper);
|
||||||
$controller->run($_POST);
|
$controller->run($_POST);
|
||||||
exit();
|
exit();
|
||||||
|
|
|
@ -39,6 +39,8 @@ use bantu\IniGetWrapper\IniGetWrapper;
|
||||||
use Exception;
|
use Exception;
|
||||||
use OCP\IConfig;
|
use OCP\IConfig;
|
||||||
use OCP\IL10N;
|
use OCP\IL10N;
|
||||||
|
use OCP\ILogger;
|
||||||
|
use OCP\Security\ISecureRandom;
|
||||||
|
|
||||||
class Setup {
|
class Setup {
|
||||||
/** @var \OCP\IConfig */
|
/** @var \OCP\IConfig */
|
||||||
|
@ -49,6 +51,10 @@ class Setup {
|
||||||
protected $l10n;
|
protected $l10n;
|
||||||
/** @var \OC_Defaults */
|
/** @var \OC_Defaults */
|
||||||
protected $defaults;
|
protected $defaults;
|
||||||
|
/** @var ILogger */
|
||||||
|
protected $logger;
|
||||||
|
/** @var ISecureRandom */
|
||||||
|
protected $random;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param IConfig $config
|
* @param IConfig $config
|
||||||
|
@ -58,11 +64,16 @@ class Setup {
|
||||||
function __construct(IConfig $config,
|
function __construct(IConfig $config,
|
||||||
IniGetWrapper $iniWrapper,
|
IniGetWrapper $iniWrapper,
|
||||||
IL10N $l10n,
|
IL10N $l10n,
|
||||||
\OC_Defaults $defaults) {
|
\OC_Defaults $defaults,
|
||||||
|
ILogger $logger,
|
||||||
|
ISecureRandom $random
|
||||||
|
) {
|
||||||
$this->config = $config;
|
$this->config = $config;
|
||||||
$this->iniWrapper = $iniWrapper;
|
$this->iniWrapper = $iniWrapper;
|
||||||
$this->l10n = $l10n;
|
$this->l10n = $l10n;
|
||||||
$this->defaults = $defaults;
|
$this->defaults = $defaults;
|
||||||
|
$this->logger = $logger;
|
||||||
|
$this->random = $random;
|
||||||
}
|
}
|
||||||
|
|
||||||
static $dbSetupClasses = array(
|
static $dbSetupClasses = array(
|
||||||
|
@ -249,7 +260,8 @@ class Setup {
|
||||||
|
|
||||||
$class = self::$dbSetupClasses[$dbType];
|
$class = self::$dbSetupClasses[$dbType];
|
||||||
/** @var \OC\Setup\AbstractDatabase $dbSetup */
|
/** @var \OC\Setup\AbstractDatabase $dbSetup */
|
||||||
$dbSetup = new $class($l, 'db_structure.xml', $this->config);
|
$dbSetup = new $class($l, 'db_structure.xml', $this->config,
|
||||||
|
$this->logger, $this->random);
|
||||||
$error = array_merge($error, $dbSetup->validate($options));
|
$error = array_merge($error, $dbSetup->validate($options));
|
||||||
|
|
||||||
// validate the data directory
|
// validate the data directory
|
||||||
|
@ -284,9 +296,9 @@ class Setup {
|
||||||
}
|
}
|
||||||
|
|
||||||
//generate a random salt that is used to salt the local user passwords
|
//generate a random salt that is used to salt the local user passwords
|
||||||
$salt = \OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate(30);
|
$salt = $this->random->getLowStrengthGenerator()->generate(30);
|
||||||
// generate a secret
|
// generate a secret
|
||||||
$secret = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(48);
|
$secret = $this->random->getMediumStrengthGenerator()->generate(48);
|
||||||
|
|
||||||
//write the config file
|
//write the config file
|
||||||
$this->config->setSystemValues([
|
$this->config->setSystemValues([
|
||||||
|
@ -351,7 +363,7 @@ class Setup {
|
||||||
|
|
||||||
//try to write logtimezone
|
//try to write logtimezone
|
||||||
if (date_default_timezone_get()) {
|
if (date_default_timezone_get()) {
|
||||||
\OC_Config::setValue('logtimezone', date_default_timezone_get());
|
$config->setSystemValue('logtimezone', date_default_timezone_get());
|
||||||
}
|
}
|
||||||
|
|
||||||
//and we are done
|
//and we are done
|
||||||
|
@ -389,7 +401,9 @@ class Setup {
|
||||||
* @throws \OC\HintException If .htaccess does not include the current version
|
* @throws \OC\HintException If .htaccess does not include the current version
|
||||||
*/
|
*/
|
||||||
public static function updateHtaccess() {
|
public static function updateHtaccess() {
|
||||||
$setupHelper = new \OC\Setup(\OC::$server->getConfig(), \OC::$server->getIniWrapper(), \OC::$server->getL10N('lib'), new \OC_Defaults());
|
$setupHelper = new \OC\Setup(\OC::$server->getConfig(), \OC::$server->getIniWrapper(),
|
||||||
|
\OC::$server->getL10N('lib'), new \OC_Defaults(), \OC::$server->getLogger(),
|
||||||
|
\OC::$server->getSecureRandom());
|
||||||
if(!$setupHelper->isCurrentHtaccess()) {
|
if(!$setupHelper->isCurrentHtaccess()) {
|
||||||
throw new \OC\HintException('.htaccess file has the wrong version. Please upload the correct version. Maybe you forgot to replace it after updating?');
|
throw new \OC\HintException('.htaccess file has the wrong version. Please upload the correct version. Maybe you forgot to replace it after updating?');
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,6 +23,8 @@
|
||||||
namespace OC\Setup;
|
namespace OC\Setup;
|
||||||
|
|
||||||
use OCP\IConfig;
|
use OCP\IConfig;
|
||||||
|
use OCP\ILogger;
|
||||||
|
use OCP\Security\ISecureRandom;
|
||||||
|
|
||||||
abstract class AbstractDatabase {
|
abstract class AbstractDatabase {
|
||||||
|
|
||||||
|
@ -42,11 +44,17 @@ abstract class AbstractDatabase {
|
||||||
protected $tablePrefix;
|
protected $tablePrefix;
|
||||||
/** @var IConfig */
|
/** @var IConfig */
|
||||||
protected $config;
|
protected $config;
|
||||||
|
/** @var ILogger */
|
||||||
|
protected $logger;
|
||||||
|
/** @var ISecureRandom */
|
||||||
|
protected $random;
|
||||||
|
|
||||||
public function __construct($trans, $dbDefinitionFile, IConfig $config) {
|
public function __construct($trans, $dbDefinitionFile, IConfig $config, ILogger $logger, ISecureRandom $random) {
|
||||||
$this->trans = $trans;
|
$this->trans = $trans;
|
||||||
$this->dbDefinitionFile = $dbDefinitionFile;
|
$this->dbDefinitionFile = $dbDefinitionFile;
|
||||||
$this->config = $config;
|
$this->config = $config;
|
||||||
|
$this->logger = $logger;
|
||||||
|
$this->random = $random;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function validate($config) {
|
public function validate($config) {
|
||||||
|
@ -70,7 +78,7 @@ abstract class AbstractDatabase {
|
||||||
$dbHost = !empty($config['dbhost']) ? $config['dbhost'] : 'localhost';
|
$dbHost = !empty($config['dbhost']) ? $config['dbhost'] : 'localhost';
|
||||||
$dbTablePrefix = isset($config['dbtableprefix']) ? $config['dbtableprefix'] : 'oc_';
|
$dbTablePrefix = isset($config['dbtableprefix']) ? $config['dbtableprefix'] : 'oc_';
|
||||||
|
|
||||||
\OC_Config::setValues([
|
$this->config->setSystemValues([
|
||||||
'dbname' => $dbName,
|
'dbname' => $dbName,
|
||||||
'dbhost' => $dbHost,
|
'dbhost' => $dbHost,
|
||||||
'dbtableprefix' => $dbTablePrefix,
|
'dbtableprefix' => $dbTablePrefix,
|
||||||
|
|
|
@ -24,6 +24,7 @@
|
||||||
namespace OC\Setup;
|
namespace OC\Setup;
|
||||||
|
|
||||||
use OC\DB\ConnectionFactory;
|
use OC\DB\ConnectionFactory;
|
||||||
|
use OCP\IDBConnection;
|
||||||
|
|
||||||
class MySQL extends AbstractDatabase {
|
class MySQL extends AbstractDatabase {
|
||||||
public $dbprettyname = 'MySQL/MariaDB';
|
public $dbprettyname = 'MySQL/MariaDB';
|
||||||
|
@ -31,58 +32,15 @@ class MySQL extends AbstractDatabase {
|
||||||
public function setupDatabase($username) {
|
public function setupDatabase($username) {
|
||||||
//check if the database user has admin right
|
//check if the database user has admin right
|
||||||
$connection = $this->connect();
|
$connection = $this->connect();
|
||||||
//user already specified in config
|
|
||||||
$oldUser=\OC_Config::getValue('dbuser', false);
|
|
||||||
|
|
||||||
//we don't have a dbuser specified in config
|
$this->createSpecificUser($username, $connection);
|
||||||
if($this->dbUser!=$oldUser) {
|
|
||||||
//add prefix to the admin username to prevent collisions
|
|
||||||
$adminUser=substr('oc_'.$username, 0, 16);
|
|
||||||
|
|
||||||
$i = 1;
|
|
||||||
while(true) {
|
|
||||||
//this should be enough to check for admin rights in mysql
|
|
||||||
$query="SELECT user FROM mysql.user WHERE user='$adminUser'";
|
|
||||||
$result = $connection->executeQuery($query);
|
|
||||||
|
|
||||||
//current dbuser has admin rights
|
|
||||||
if($result) {
|
|
||||||
$data = $result->fetchAll();
|
|
||||||
//new dbuser does not exist
|
|
||||||
if(count($data) === 0) {
|
|
||||||
//use the admin login data for the new database user
|
|
||||||
$this->dbUser=$adminUser;
|
|
||||||
|
|
||||||
//create a random password so we don't need to store the admin password in the config file
|
|
||||||
$this->dbPassword=\OC_Util::generateRandomBytes(30);
|
|
||||||
|
|
||||||
$this->createDBUser($connection);
|
|
||||||
|
|
||||||
break;
|
|
||||||
} else {
|
|
||||||
//repeat with different username
|
|
||||||
$length=strlen((string)$i);
|
|
||||||
$adminUser=substr('oc_'.$username, 0, 16 - $length).$i;
|
|
||||||
$i++;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
\OC_Config::setValues([
|
|
||||||
'dbuser' => $this->dbUser,
|
|
||||||
'dbpassword' => $this->dbPassword,
|
|
||||||
]);
|
|
||||||
}
|
|
||||||
|
|
||||||
//create the database
|
//create the database
|
||||||
$this->createDatabase($connection);
|
$this->createDatabase($connection);
|
||||||
|
|
||||||
//fill the database if needed
|
//fill the database if needed
|
||||||
$query='select count(*) from information_schema.tables'
|
$query='select count(*) from information_schema.tables where table_schema=? AND table_name = ?';
|
||||||
." where table_schema='".$this->dbName."' AND table_name = '".$this->tablePrefix."users';";
|
$result = $connection->executeQuery($query, [$this->dbName, $this->tablePrefix.'users']);
|
||||||
$result = $connection->executeQuery($query);
|
|
||||||
$row = $result->fetch();
|
$row = $result->fetch();
|
||||||
if(!$result or $row[0]==0) {
|
if(!$result or $row[0]==0) {
|
||||||
\OC_DB::createDbFromStructure($this->dbDefinitionFile);
|
\OC_DB::createDbFromStructure($this->dbDefinitionFile);
|
||||||
|
@ -93,6 +51,7 @@ class MySQL extends AbstractDatabase {
|
||||||
* @param \OC\DB\Connection $connection
|
* @param \OC\DB\Connection $connection
|
||||||
*/
|
*/
|
||||||
private function createDatabase($connection) {
|
private function createDatabase($connection) {
|
||||||
|
try{
|
||||||
$name = $this->dbName;
|
$name = $this->dbName;
|
||||||
$user = $this->dbUser;
|
$user = $this->dbUser;
|
||||||
//we cant use OC_BD functions here because we need to connect as the administrative user.
|
//we cant use OC_BD functions here because we need to connect as the administrative user.
|
||||||
|
@ -102,10 +61,16 @@ class MySQL extends AbstractDatabase {
|
||||||
//this query will fail if there aren't the right permissions, ignore the error
|
//this query will fail if there aren't the right permissions, ignore the error
|
||||||
$query="GRANT ALL PRIVILEGES ON `$name` . * TO '$user'";
|
$query="GRANT ALL PRIVILEGES ON `$name` . * TO '$user'";
|
||||||
$connection->executeUpdate($query);
|
$connection->executeUpdate($query);
|
||||||
|
} catch (\Exception $ex) {
|
||||||
|
$this->logger->error('Database creation failed: {error}', [
|
||||||
|
'app' => 'mysql.setup',
|
||||||
|
'error' => $ex->getMessage()
|
||||||
|
]);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param \OC\DB\Connection $connection
|
* @param IDbConnection $connection
|
||||||
* @throws \OC\DatabaseSetupException
|
* @throws \OC\DatabaseSetupException
|
||||||
*/
|
*/
|
||||||
private function createDBUser($connection) {
|
private function createDBUser($connection) {
|
||||||
|
@ -134,4 +99,63 @@ class MySQL extends AbstractDatabase {
|
||||||
$cf = new ConnectionFactory();
|
$cf = new ConnectionFactory();
|
||||||
return $cf->getConnection($type, $connectionParams);
|
return $cf->getConnection($type, $connectionParams);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $username
|
||||||
|
* @param IDBConnection $connection
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
private function createSpecificUser($username, $connection) {
|
||||||
|
try {
|
||||||
|
//user already specified in config
|
||||||
|
$oldUser = $this->config->getSystemValue('dbuser', false);
|
||||||
|
|
||||||
|
//we don't have a dbuser specified in config
|
||||||
|
if ($this->dbUser !== $oldUser) {
|
||||||
|
//add prefix to the admin username to prevent collisions
|
||||||
|
$adminUser = substr('oc_' . $username, 0, 16);
|
||||||
|
|
||||||
|
$i = 1;
|
||||||
|
while (true) {
|
||||||
|
//this should be enough to check for admin rights in mysql
|
||||||
|
$query = 'SELECT user FROM mysql.user WHERE user=?';
|
||||||
|
$result = $connection->executeQuery($query, [$adminUser]);
|
||||||
|
|
||||||
|
//current dbuser has admin rights
|
||||||
|
if ($result) {
|
||||||
|
$data = $result->fetchAll();
|
||||||
|
//new dbuser does not exist
|
||||||
|
if (count($data) === 0) {
|
||||||
|
//use the admin login data for the new database user
|
||||||
|
$this->dbUser = $adminUser;
|
||||||
|
|
||||||
|
//create a random password so we don't need to store the admin password in the config file
|
||||||
|
$this->dbPassword = $this->random->getMediumStrengthGenerator()->generate(30);
|
||||||
|
|
||||||
|
$this->createDBUser($connection);
|
||||||
|
|
||||||
|
break;
|
||||||
|
} else {
|
||||||
|
//repeat with different username
|
||||||
|
$length = strlen((string)$i);
|
||||||
|
$adminUser = substr('oc_' . $username, 0, 16 - $length) . $i;
|
||||||
|
$i++;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
} catch (\Exception $ex) {
|
||||||
|
$this->logger->error('Specific user creation failed: {error}', [
|
||||||
|
'app' => 'mysql.setup',
|
||||||
|
'error' => $ex->getMessage()
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->config->setSystemValues([
|
||||||
|
'dbuser' => $this->dbUser,
|
||||||
|
'dbpassword' => $this->dbPassword,
|
||||||
|
]);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -567,7 +567,8 @@ class OC_Util {
|
||||||
}
|
}
|
||||||
|
|
||||||
$webServerRestart = false;
|
$webServerRestart = false;
|
||||||
$setup = new \OC\Setup($config, \OC::$server->getIniWrapper(), \OC::$server->getL10N('lib'), new \OC_Defaults());
|
$setup = new \OC\Setup($config, \OC::$server->getIniWrapper(), \OC::$server->getL10N('lib'),
|
||||||
|
new \OC_Defaults(), \OC::$server->getLogger(), \OC::$server->getSecureRandom());
|
||||||
$availableDatabases = $setup->getSupportedDatabases();
|
$availableDatabases = $setup->getSupportedDatabases();
|
||||||
if (empty($availableDatabases)) {
|
if (empty($availableDatabases)) {
|
||||||
$errors[] = array(
|
$errors[] = array(
|
||||||
|
|
Loading…
Reference in New Issue