Julio Cesar Laura Avendaño
@@ -242,8 +242,51 @@ function executeQuery ($SqlStatement, $DBConnectionUID = 'workflow', $aParameter
|
||||
{
|
||||
$con = Propel::getConnection( $DBConnectionUID );
|
||||
$con->begin();
|
||||
|
||||
G::loadClass('system');
|
||||
$blackList = System::getQueryBlackList();
|
||||
$aListQueries = explode('|', $blackList['queries']);
|
||||
$aListAllTables = explode('|', $blackList['tables'].$blackList['pmtables']);
|
||||
$parseSqlStm = new PHPSQLParser($SqlStatement);
|
||||
try {
|
||||
//Parsing queries and check the blacklist
|
||||
foreach ($parseSqlStm as $key => $value) {
|
||||
if($key === 'parsed'){
|
||||
$aParseSqlStm = $value;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
$nameOfTable = '';
|
||||
$arrayOfTables = array();
|
||||
foreach ($aParseSqlStm as $key => $value) {
|
||||
if(in_array($key, $aListQueries)){
|
||||
if(isset($value['table'])){
|
||||
$nameOfTable = $value['table'];
|
||||
} else {
|
||||
foreach ($value as $valueTab) {
|
||||
if(is_array($valueTab)){
|
||||
$arrayOfTables = $valueTab;
|
||||
} else {
|
||||
$nameOfTable = $valueTab;
|
||||
}
|
||||
}
|
||||
}
|
||||
if(isset($nameOfTable)){
|
||||
if(in_array($nameOfTable,$aListAllTables)){
|
||||
G::SendTemporalMessage( 'ID_NOT_EXECUTE_QUERY', 'error', 'labels' );
|
||||
throw new SQLException(G::loadTranslation('ID_NOT_EXECUTE_QUERY'));
|
||||
}
|
||||
}
|
||||
if (!empty($arrayOfTables)) {
|
||||
foreach ($arrayOfTables as $row) {
|
||||
if(in_array($row, $aListAllTables)){
|
||||
G::SendTemporalMessage( 'ID_NOT_EXECUTE_QUERY', 'error', 'labels' );
|
||||
throw new SQLException(G::loadTranslation('ID_NOT_EXECUTE_QUERY'));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$statement = trim( $SqlStatement );
|
||||
$statement = str_replace( '(', '', $statement );
|
||||
|
||||
|
||||
@@ -1163,6 +1163,29 @@ class System
|
||||
return $config;
|
||||
}
|
||||
|
||||
/*
|
||||
* Get information about the queries permitted and tables we can modified
|
||||
* @access public
|
||||
* @param string $globalIniFile
|
||||
* @return array of execute query Black list
|
||||
*/
|
||||
public static function getQueryBlackList($globalIniFile = ''){
|
||||
$config = array();
|
||||
if (empty($globalIniFile)) {
|
||||
$blackListIniFile = PATH_CONFIG . 'execute-query-blacklist.ini';
|
||||
$sysTablesIniFile = PATH_CONFIG . 'system-tables.ini';
|
||||
}
|
||||
// read the global execute-query-blacklist.ini configuration file
|
||||
if(file_exists($blackListIniFile)){
|
||||
$config = @parse_ini_file($blackListIniFile);
|
||||
}
|
||||
if(file_exists($sysTablesIniFile)){
|
||||
$systemTables = @parse_ini_file($sysTablesIniFile);
|
||||
$config['tables'] = $systemTables['tables'];
|
||||
}
|
||||
return $config;
|
||||
}
|
||||
|
||||
public function updateIndexFile ($conf)
|
||||
{
|
||||
if (! file_exists( PATH_HTML . 'index.html' )) {
|
||||
|
||||
@@ -744,6 +744,7 @@ class workspaceTools
|
||||
p11835::isApplicable();
|
||||
$systemSchema = System::getSystemSchema($this->dbAdapter);
|
||||
$systemSchemaRbac = System::getSystemSchemaRbac($this->dbAdapter);// get the Rbac Schema
|
||||
$this->registerSystemTables(array_merge($systemSchema,$systemSchemaRbac));
|
||||
$this->upgradeSchema( $systemSchema );
|
||||
$this->upgradeSchema( $systemSchemaRbac, false, true, $onedb ); // perform Upgrade to Rbac
|
||||
$this->upgradeData();
|
||||
@@ -2279,4 +2280,22 @@ class workspaceTools
|
||||
throw $e;
|
||||
}
|
||||
}
|
||||
/**
|
||||
* Register system tables in a file
|
||||
*
|
||||
* return void
|
||||
*/
|
||||
public static function registerSystemTables($aSquema){
|
||||
//Register all tables
|
||||
$sListTables = '';
|
||||
foreach ($aSquema as $key => $value) {
|
||||
$sListTables .= $key .'|';
|
||||
}
|
||||
|
||||
$sysTablesIniFile= PATH_CONFIG . 'system-tables.ini';
|
||||
$contents = file_put_contents( $sysTablesIniFile, sprintf( "%s '%s'\n", "tables = ", $sListTables ) );
|
||||
if ($contents === null) {
|
||||
throw (new Exception( G::LoadTranslation('ID_FILE_NOT_WRITEABLE', SYS_LANG, array($sysTablesIniFile) ) ));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
6
workflow/engine/config/execute-query-blacklist.ini
Executable file
6
workflow/engine/config/execute-query-blacklist.ini
Executable file
@@ -0,0 +1,6 @@
|
||||
;The separator parameter is |
|
||||
;Setting statements - Statements can not allowed in the execution, example queries="INSERT|UPDATE|REPLACE|DELETE"
|
||||
queries = "INSERT|UPDATE|REPLACE|DELETE"
|
||||
|
||||
;Setting tables - Tables that can not apply sentences, pmtables="PMTABLE1|PMTABLE2"
|
||||
pmtables = ""
|
||||
Reference in New Issue
Block a user