mask out passwords in admin queue

This commit is contained in:
Ralf Becker 2016-05-07 16:55:15 +00:00
parent e2261d3494
commit e6ad65387e
3 changed files with 67 additions and 2 deletions

View File

@ -25,6 +25,13 @@ abstract class admin_cmd
const pending = 4;
const queued = 5; // command waits to be fetched from remote
/**
* Status which stil need passwords available
*
* @var array
*/
static $require_pw_stati = array(self::scheduled,self::pending,self::queued);
/**
* The status of the command, one of either scheduled, successful, failed or deleted
*
@ -309,7 +316,10 @@ abstract class admin_cmd
$vars[$name] = $this->$name;
}
}
$vars['data'] = json_encode($this->data); // data is stored serialized
// data is stored serialized
// paswords are masked / removed, if we dont need them anymore
$vars['data'] = in_array($this->status, self::$require_pw_stati) ?
json_encode($this->data) : self::mask_passwords($this->data);
admin_cmd::$sql->init($vars);
if (admin_cmd::$sql->save() != 0)
@ -334,6 +344,33 @@ abstract class admin_cmd
return true;
}
/**
* Mask / remove passwords in $data
*
* @param string|array $data json or php-encoded string or array
* @param boolean $return_serialized =true true: return json serialized string, false: return array
* @return string|array see $return_serialized
*/
static function mask_passwords($data, $return_serialized=true)
{
if (!is_array($data))
{
$data = json_php_unserialize($data);
}
foreach($data as $key => &$value)
{
if (is_array($value))
{
$value = self::mask_passwords($value, false);
}
elseif (preg_match('/(pw|passwd_?\d*|(?<!change)password|db_pass)$/i', $key))
{
$value = str_repeat('*', strlen($value));
}
}
return $return_serialized ? json_encode($data) : $data;
}
/**
* reading a command from the queue returning the comand object
*
@ -843,6 +880,7 @@ abstract class admin_cmd
'status' => admin_cmd::failed,
'error' => lang('Unknown command %1!',$job['type']),
'errno' => 0,
'data' => self::mask_passwords($job['data']),
));
}
}

View File

@ -10,7 +10,7 @@
*/
$setup_info['admin']['name'] = 'admin';
$setup_info['admin']['version'] = '14.3';
$setup_info['admin']['version'] = '16.1';
$setup_info['admin']['app_order'] = 1;
$setup_info['admin']['tables'] = array('egw_admin_queue','egw_admin_remote');
$setup_info['admin']['enable'] = 1;

View File

@ -151,3 +151,30 @@ function admin_upgrade14_2_001()
return $GLOBALS['setup_info']['admin']['currentver'] = '14.3';
}
/**
* Remove cleartext passwords from egw_admin_queue
*
* @return string
*/
function admin_upgrade14_3()
{
// asuming everythings not MySQL uses PostgreSQL regular expression syntax
$regexp = substr($GLOBALS['egw_setup']->db->Type, 0, 5) == 'mysql' ? 'REGEXP' : '~*';
foreach($GLOBALS['egw_setup']->db->select('egw_admin_queue', 'cmd_id,cmd_data',
'cmd_status NOT IN ('.implode(',', admin_cmd::$require_pw_stati).") AND cmd_data $regexp '(pw|passwd\\_?\\d*|password|db\\_pass)\\?\"'",
__LINE__, __FILE__, false, '', 'admin') as $row)
{
if (($masked = admin_cmd::mask_passwords($row['cmd_data'])) != $row['cmd'])
{
$GLOBALS['egw_setup']->db->update('egw_admin_queue', array('cmd_data' => $masked),
array('cmd_id' => $row['cmd_id']), __LINE__, __FILE__, 'admin');
}
}
return $GLOBALS['setup_info']['admin']['currentver'] = '14.3.001';
}
function admin_upgrade14_3_001()
{
return $GLOBALS['setup_info']['admin']['currentver'] = '16.1';
}