Remove the /db page

This page wasn't linked anywhere, and was allowing an administrator to issue arbitrary sql comments, and was vulnerable to reflected XSS. We should get rid of it. If you really want to issue SQL commands, just ssh to your instance and do it from here.
5 years ago · 348c698e35
parent d3970a5c62
commit 348c698e35
3 changed files with 1 additions and 117 deletions
--- a/airsonic-main/src/main/java/org/airsonic/player/controller/DBController.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/controller/DBController.java
@ -1,70 +0,0 @@
-/*
- This file is part of Airsonic.
-
- Airsonic is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- Airsonic is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with Airsonic.  If not, see <http://www.gnu.org/licenses/>.
-
- Copyright 2016 (C) Airsonic Authors
- Based upon Subsonic, Copyright 2009 (C) Sindre Mehus
- */
-package org.airsonic.player.controller;
-
-import org.airsonic.player.dao.DaoHelper;
-import org.apache.commons.lang.exception.ExceptionUtils;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.dao.DataAccessException;
-import org.springframework.jdbc.core.ColumnMapRowMapper;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.servlet.ModelAndView;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-/**
- * Controller for the DB admin page.
- *
- * @author Sindre Mehus
- */
-@Controller
-@RequestMapping("/db")
-public class DBController {
-
-    @Autowired
-    private DaoHelper daoHelper;
-
-    @RequestMapping(method = { RequestMethod.GET, RequestMethod.POST })
-    protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
-        Map<String, Object> map = new HashMap<String, Object>();
-
-        String query = request.getParameter("query");
-        if (query != null) {
-            map.put("query", query);
-
-            try {
-                List<?> result = daoHelper.getJdbcTemplate().query(query, new ColumnMapRowMapper());
-                map.put("result", result);
-            } catch (DataAccessException x) {
-                map.put("error", ExceptionUtils.getRootCause(x).getMessage());
-            }
-        }
-
-        return new ModelAndView("db","model",map);
-    }
-
-}
--- a/airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java
@ -142,7 +142,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
                    .antMatchers("/generalSettings*", "/advancedSettings*", "/userSettings*",
                            "/musicFolderSettings*", "/databaseSettings*", "/transcodeSettings*", "/rest/startScan*")
                    .hasRole("ADMIN")
-                    .antMatchers("/deletePlaylist*", "/savePlaylist*", "/db*")
+                    .antMatchers("/deletePlaylist*", "/savePlaylist*")
                    .hasRole("PLAYLIST")
                    .antMatchers("/download*")
                    .hasRole("DOWNLOAD")
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/db.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/db.jsp
@ -1,46 +0,0 @@
-<%@ page language="java" contentType="text/html; charset=utf-8" pageEncoding="iso-8859-1"%>
-
-<html><head>
-    <%@ include file="head.jsp" %>
-</head><body class="mainframe bgcolor1" onload="document.getElementById('query').focus()">
-
-<h1>Database query</h1>
-
-<form method="post" action="db.view">
-    <sec:csrfInput />
-    <textarea rows="10" cols="80" id="query" name="query" style="margin-top:1em">${model.query}</textarea>
-    <input type="submit" value="<fmt:message key="common.ok"/>">
-</form>
-
-<c:if test="${not empty model.result}">
-    <h1 style="margin-top:2em">Result</h1>
-
-    <table class="indent ruleTable">
-        <c:forEach items="${model.result}" var="row" varStatus="loopStatus">
-
-            <c:if test="${loopStatus.count == 1}">
-                <tr>
-                    <c:forEach items="${row}" var="entry">
-                        <td class="ruleTableHeader">${entry.key}</td>
-                    </c:forEach>
-                </tr>
-            </c:if>
-            <tr>
-                <c:forEach items="${row}" var="entry">
-                    <td class="ruleTableCell">${entry.value}</td>
-                </c:forEach>
-            </tr>
-        </c:forEach>
-
-    </table>
-</c:if>
-
-<c:if test="${not empty model.error}">
-    <h1 style="margin-top:2em">Error</h1>
-
-    <p class="warning">
-        ${model.error}
-    </p>
-</c:if>
-
-</body></html>