237116 - Generic Bugzilla database interaction layer

Status: RESOLVED WONTFIX

(Bugzilla :: Query/Bug List, enhancement)

Description

[Vijayan Reddy]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686) Gecko/20040107 Galeon/1.3.7
Build Identifier: Mozilla/5.0 (X11; U; Linux i686) Gecko/20040107 Galeon/1.3.7

I had a series of requests from my users that they need to query the Bugzilla
database directly.

Options I had were, to open the MySQL database access or to use Bugzilla as an
interface for them to send their queries.I supported a new CGI page which takes
a 'SQL Query String' (No Updates/Deletes Allowed for that user at the db), and
displays the results on the webpage.

Something like,
<bugzilla-URL>/custom-query.cgi?select * from bugs where bug_id>10000;

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Well, this is the source We have written to support this, any enhancements most
welcome.
===============================================================================

#!/usr/bonsaitools/bin/perl -wT
 
use lib qw(.);
 
use DBI;
use strict;
 
require "CGI.pl";
require "globals.pl";
 
my $my_db_host = "localhost";
my $my_db_name = "bugs";
my $my_db_port = "3306";
my $my_db_user = "query";
my $my_db_pass = "query";
 
 
ConnectToDatabaseForRead(1);
 
my $query = $ENV{QUERY_STRING};
 
$query =~ s/\%20/ /g;
$query =~ s/\%22/\"/g;
 
$query = SqlQuote($query);
 
$query =~ s/\'//g;
my @rset = runSQLQuery($query);
 
print "Content-type: text/html\n\n";
#PutHeader("Custom Query");
 
print GenerateHtmlContent(@rset );
 
#PutFooter();
 
sub ConnectToDatabaseForRead {
    my ($useshadow) = (@_);
    if (!defined $::db) {
        my $name = $my_db_name;
        if ($useshadow && Param("shadowdb") && Param("queryagainstshadowdb")) {
            $name = Param("shadowdb");
            my $dbwritesallowed = 0;
        }
        $::db =
DBI->connect("DBI:mysql:host=$my_db_host;database=$name;port=$my_db_port",
$my_db_user, $my_db_pass)
            || die "MySQL Database of TBT is down. Please try again later. " .
      "If the problem persists, please contact QATools\@tavant.com ".
      "The error you should quote is: " . $DBI::errstr;
    }
}
 
 
 
sub GenerateHtmlContent
{
        my $html= "";
        my $NL = "\n";
        my $i;
        my $rec;
 
        $html = "<Html>".$NL;
        $html = $html."<Body>".$NL;
        $html = $html."<Table>".$NL;
   
        foreach $rec (@rset)
        {
 
                $html = $html."<TR>".$NL;
                my $no_of_cols = scalar keys %{$rset[0]};
                for ( $i=0; $i < $no_of_cols ; $i++)
                {
                        $html = $html."<TD>".$NL;
                        $html = $html."$rec->{$i}";
                        $html = $html."</TD>".$NL;
                }
                $html = $html."</TR>".$NL;
        }
        $html = $html."</Table>".$NL;
        $html = $html."</Body>".$NL;
        $html = $html."</Html>".$NL;
 
        return $html;
}
 
sub runSQLQuery
{
        my $query = shift;
        my $sql = qq/$query/;
 
        SendSQL($sql);
 
        while (my  @row = FetchSQLData() )
        {
                my $rec = {};
                my $i;
                my $no_of_cols = @row;
                for ( $i=0; $i < $no_of_cols ; $i++)
                {
                        $rec->{$i} = $row[$i];
                }
                push(@rset, $rec);
        }
 
        return @rset;
}
=========================================================

Reason why I re-implemented ConnectToDatabase was to have a read-only access for
these users at the database.

Comment 1

[Dave Miller [:justdave]]

Thanks for the contribution, but this is a security hole waiting to happen,
because it bypasses Bugzilla's security controls.