[Koha-bugs] [Bug 8268] Koha should offer way to backup entire db
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Sat Jul 7 14:10:51 CEST 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8268
--- Comment #12 from Frère Sébastien Marie <semarie-koha at latrappe.fr> ---
(En réponse au commentaire 11)
>
> Marking passed QA, I'll delay pushing, I'll wait for some feedback from
> semarie, just in case
The code seems globally ok: just 4 remarks.
Some security remarks (in tools/export.pl):
1. a problem (common in koha): use of user-input in warn. An attacker can
forge entries in log file (see CWE-93) (resume: if variable contains CRLF, the
log file too... and the next line is forged: so who write in log ? koha or
attacker ?)
> warn "A suspicious attempt was made to download the db at '$filename' by ..."
2. about the regex for $filename verification
> return unless ( ... && not $filename =~ m#(^\.\.|/)# );
The regex could be translated as: $filename should not:
- start with '..'
OR
- contains '/'
I don't understand the purpose of "^..", if '/' is forbidden; as you can't
escape from directory without '/'.
So I think m#/# is suffisent (please correct me if not).
Some generals remarks:
3. the directory for backup is not consitent in differents files:
in debian/templates/koha-conf-site.xml.in, the directory use for backupdir is:
> <backupdir>/var/lib/koha/__KOHASITE__</backupdir>
in Makefile.PL, the directory seems to be in /var/spool :
> './skel/var/spool/koha' => { target => 'BACKUP_DIR', trimdir => -1 },
in debian/scripts/koha-dump:
> [ -z "$backupdir" ] && backupdir="/var/spool/koha/$name"
4. in misc/cronjobs/backup.sh
The lasts lines are for mail admin if ok, or mail admin if not ok.
> [ -f $KOHA_BACKUP] && echo "$KOHA_BACKUP was successfully created." | mail kohaadmin -s $KOHA_BACKUP ||
> echo "$KOHA_BACKUP was NOT successfully created." | mail kohaadmin -s $KOHA_BACKUP
First, there are *two* lines. I haven't test it, but it should be an error as
"cmd_a && cmd_b ||" is not a valid shell expression. Should be one-line "cmd_a
&& cmd_b || cmd_c"
Secondly, I'm not sure that the behaviour is correct.
"cmd_a && cmd_b || cmd_c" could be expanded as:
if cmd_a ; then
if ! cmd_b ; then
cmd_c
fi
else
cmd_c
fi
so if cmd_b failed (echo "backup ok" | mail admin), the cmd_c (echo "backup
err" | mail admin) will be run (and expected to failed too, as the first try).
Proposed correction:
> if [ -f $KOHA_BACKUP] ; then
> echo "$KOHA_BACKUP was successfully created." | mail kohaadmin -s $KOHA_BACKUP
> else
> echo "$KOHA_BACKUP was NOT successfully created." | mail kohaadmin -s $KOHA_BACKUP
> fi
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list