Remove the /db page

This page wasn't linked anywhere, and was
allowing an administrator to issue arbitrary sql
comments, and was vulnerable to reflected XSS.

We should get rid of it. If you really want to issue
SQL commands, just ssh to your instance and do it from here.
master
jvoisin 6 years ago committed by GitHub
parent d3970a5c62
commit 348c698e35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 70
      airsonic-main/src/main/java/org/airsonic/player/controller/DBController.java
  2. 2
      airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java
  3. 46
      airsonic-main/src/main/webapp/WEB-INF/jsp/db.jsp

@ -1,70 +0,0 @@
/*
This file is part of Airsonic.
Airsonic is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Airsonic is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Airsonic. If not, see <http://www.gnu.org/licenses/>.
Copyright 2016 (C) Airsonic Authors
Based upon Subsonic, Copyright 2009 (C) Sindre Mehus
*/
package org.airsonic.player.controller;
import org.airsonic.player.dao.DaoHelper;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.DataAccessException;
import org.springframework.jdbc.core.ColumnMapRowMapper;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* Controller for the DB admin page.
*
* @author Sindre Mehus
*/
@Controller
@RequestMapping("/db")
public class DBController {
@Autowired
private DaoHelper daoHelper;
@RequestMapping(method = { RequestMethod.GET, RequestMethod.POST })
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
Map<String, Object> map = new HashMap<String, Object>();
String query = request.getParameter("query");
if (query != null) {
map.put("query", query);
try {
List<?> result = daoHelper.getJdbcTemplate().query(query, new ColumnMapRowMapper());
map.put("result", result);
} catch (DataAccessException x) {
map.put("error", ExceptionUtils.getRootCause(x).getMessage());
}
}
return new ModelAndView("db","model",map);
}
}

@ -142,7 +142,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
.antMatchers("/generalSettings*", "/advancedSettings*", "/userSettings*",
"/musicFolderSettings*", "/databaseSettings*", "/transcodeSettings*", "/rest/startScan*")
.hasRole("ADMIN")
.antMatchers("/deletePlaylist*", "/savePlaylist*", "/db*")
.antMatchers("/deletePlaylist*", "/savePlaylist*")
.hasRole("PLAYLIST")
.antMatchers("/download*")
.hasRole("DOWNLOAD")

@ -1,46 +0,0 @@
<%@ page language="java" contentType="text/html; charset=utf-8" pageEncoding="iso-8859-1"%>
<html><head>
<%@ include file="head.jsp" %>
</head><body class="mainframe bgcolor1" onload="document.getElementById('query').focus()">
<h1>Database query</h1>
<form method="post" action="db.view">
<sec:csrfInput />
<textarea rows="10" cols="80" id="query" name="query" style="margin-top:1em">${model.query}</textarea>
<input type="submit" value="<fmt:message key="common.ok"/>">
</form>
<c:if test="${not empty model.result}">
<h1 style="margin-top:2em">Result</h1>
<table class="indent ruleTable">
<c:forEach items="${model.result}" var="row" varStatus="loopStatus">
<c:if test="${loopStatus.count == 1}">
<tr>
<c:forEach items="${row}" var="entry">
<td class="ruleTableHeader">${entry.key}</td>
</c:forEach>
</tr>
</c:if>
<tr>
<c:forEach items="${row}" var="entry">
<td class="ruleTableCell">${entry.value}</td>
</c:forEach>
</tr>
</c:forEach>
</table>
</c:if>
<c:if test="${not empty model.error}">
<h1 style="margin-top:2em">Error</h1>
<p class="warning">
${model.error}
</p>
</c:if>
</body></html>
Loading…
Cancel
Save