From 348c698e35453db00742b768fd2a4a3796375c1c Mon Sep 17 00:00:00 2001
From: jvoisin <jvoisin@users.noreply.github.com>
Date: Sun, 28 Apr 2019 08:48:41 +0000
Subject: [PATCH] Remove the /db page

This page wasn't linked anywhere, and was
allowing an administrator to issue arbitrary sql
comments, and was vulnerable to reflected XSS.

We should get rid of it. If you really want to issue
SQL commands, just ssh to your instance and do it from here.
---
 .../player/controller/DBController.java       | 70 -------------------
 .../player/security/GlobalSecurityConfig.java |  2 +-
 .../src/main/webapp/WEB-INF/jsp/db.jsp        | 46 ------------
 3 files changed, 1 insertion(+), 117 deletions(-)
 delete mode 100644 airsonic-main/src/main/java/org/airsonic/player/controller/DBController.java
 delete mode 100644 airsonic-main/src/main/webapp/WEB-INF/jsp/db.jsp

diff --git a/airsonic-main/src/main/java/org/airsonic/player/controller/DBController.java b/airsonic-main/src/main/java/org/airsonic/player/controller/DBController.java
deleted file mode 100644
index 850ef71b..00000000
--- a/airsonic-main/src/main/java/org/airsonic/player/controller/DBController.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- This file is part of Airsonic.
-
- Airsonic is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- Airsonic is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with Airsonic.  If not, see <http://www.gnu.org/licenses/>.
-
- Copyright 2016 (C) Airsonic Authors
- Based upon Subsonic, Copyright 2009 (C) Sindre Mehus
- */
-package org.airsonic.player.controller;
-
-import org.airsonic.player.dao.DaoHelper;
-import org.apache.commons.lang.exception.ExceptionUtils;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.dao.DataAccessException;
-import org.springframework.jdbc.core.ColumnMapRowMapper;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.servlet.ModelAndView;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-/**
- * Controller for the DB admin page.
- *
- * @author Sindre Mehus
- */
-@Controller
-@RequestMapping("/db")
-public class DBController {
-
-    @Autowired
-    private DaoHelper daoHelper;
-
-    @RequestMapping(method = { RequestMethod.GET, RequestMethod.POST })
-    protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
-        Map<String, Object> map = new HashMap<String, Object>();
-
-        String query = request.getParameter("query");
-        if (query != null) {
-            map.put("query", query);
-
-            try {
-                List<?> result = daoHelper.getJdbcTemplate().query(query, new ColumnMapRowMapper());
-                map.put("result", result);
-            } catch (DataAccessException x) {
-                map.put("error", ExceptionUtils.getRootCause(x).getMessage());
-            }
-        }
-
-        return new ModelAndView("db","model",map);
-    }
-
-}
diff --git a/airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java b/airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java
index 41a9f03f..b6dba32c 100644
--- a/airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java
@@ -142,7 +142,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
                     .antMatchers("/generalSettings*", "/advancedSettings*", "/userSettings*",
                             "/musicFolderSettings*", "/databaseSettings*", "/transcodeSettings*", "/rest/startScan*")
                     .hasRole("ADMIN")
-                    .antMatchers("/deletePlaylist*", "/savePlaylist*", "/db*")
+                    .antMatchers("/deletePlaylist*", "/savePlaylist*")
                     .hasRole("PLAYLIST")
                     .antMatchers("/download*")
                     .hasRole("DOWNLOAD")
diff --git a/airsonic-main/src/main/webapp/WEB-INF/jsp/db.jsp b/airsonic-main/src/main/webapp/WEB-INF/jsp/db.jsp
deleted file mode 100644
index fb334593..00000000
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/db.jsp
+++ /dev/null
@@ -1,46 +0,0 @@
-<%@ page language="java" contentType="text/html; charset=utf-8" pageEncoding="iso-8859-1"%>
-
-<html><head>
-    <%@ include file="head.jsp" %>
-</head><body class="mainframe bgcolor1" onload="document.getElementById('query').focus()">
-
-<h1>Database query</h1>
-
-<form method="post" action="db.view">
-    <sec:csrfInput />
-    <textarea rows="10" cols="80" id="query" name="query" style="margin-top:1em">${model.query}</textarea>
-    <input type="submit" value="<fmt:message key="common.ok"/>">
-</form>
-
-<c:if test="${not empty model.result}">
-    <h1 style="margin-top:2em">Result</h1>
-
-    <table class="indent ruleTable">
-        <c:forEach items="${model.result}" var="row" varStatus="loopStatus">
-
-            <c:if test="${loopStatus.count == 1}">
-                <tr>
-                    <c:forEach items="${row}" var="entry">
-                        <td class="ruleTableHeader">${entry.key}</td>
-                    </c:forEach>
-                </tr>
-            </c:if>
-            <tr>
-                <c:forEach items="${row}" var="entry">
-                    <td class="ruleTableCell">${entry.value}</td>
-                </c:forEach>
-            </tr>
-        </c:forEach>
-
-    </table>
-</c:if>
-
-<c:if test="${not empty model.error}">
-    <h1 style="margin-top:2em">Error</h1>
-
-    <p class="warning">
-        ${model.error}
-    </p>
-</c:if>
-
-</body></html>
\ No newline at end of file