Fix for an Issue #216

2024-11-22 09:36:35 +03:00 · 2012-10-24 22:59:46 +02:00 · 2012-10-24 22:59:46 +02:00 · 5477c9f7ba
commit 5477c9f7ba
parent 056be32ac1
3 changed files with 33 additions and 27 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -3005,6 +3005,34 @@ def asciifyUrl(url, forceQuote=False):

    return urlparse.urlunsplit([parts.scheme, netloc, path, query, parts.fragment])

+def isAdminFromPrivileges(privileges):
+    """
+    Inspects privileges to see if those are comming from an admin user
+    """
+
+    # In PostgreSQL the usesuper privilege means that the
+    # user is DBA
+    retVal = (Backend.isDbms(DBMS.PGSQL) and "super" in privileges)
+
+    # In Oracle the DBA privilege means that the
+    # user is DBA
+    retVal |= (Backend.isDbms(DBMS.ORACLE) and "DBA" in privileges)
+
+    # In MySQL >= 5.0 the SUPER privilege means
+    # that the user is DBA
+    retVal |= (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema and "SUPER" in privileges)
+
+    # In MySQL < 5.0 the super_priv privilege means
+    # that the user is DBA
+    retVal |= (Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema and "super_priv" in privileges)
+
+    # In Firebird there is no specific privilege that means
+    # that the user is DBA
+    # TODO: confirm
+    retVal |= (Backend.isDbms(DBMS.FIREBIRD) and "SELECT" in privileges and "INSERT" in privileges and "UPDATE" in privileges and "DELETE" in privileges and "REFERENCES" in privileges and "EXECUTE" in privileges)
+
+    return retVal
+
 def findPageForms(content, url, raise_=False, addToTargets=False):
    """
    Parses given page content for possible forms
--- a/plugins/dbms/oracle/enumeration.py
+++ b/plugins/dbms/oracle/enumeration.py
@ -7,6 +7,7 @@ See the file 'doc/COPYING' for copying permission

 from lib.core.common import Backend
 from lib.core.common import getLimitRange
+from lib.core.common import isAdminFromPrivileges
 from lib.core.common import isInferenceAvailable
 from lib.core.common import isNoneValue
 from lib.core.common import isNumPosStrValue
@ -78,7 +79,7 @@ class Enumeration(GenericEnumeration):
                            # In Oracle we get the list of roles as string
                            roles.add(role)

-                    if self.__isAdminFromPrivileges(roles):
+                    if isAdminFromPrivileges(roles):
                        areAdmins.add(user)

                    if kb.data.cachedUsersRoles.has_key(user):
--- a/plugins/generic/users.py
+++ b/plugins/generic/users.py
@ -13,6 +13,7 @@ from lib.core.common import Backend
 from lib.core.common import filterPairValues
 from lib.core.common import getLimitRange
 from lib.core.common import getUnicode
+from lib.core.common import isAdminFromPrivileges
 from lib.core.common import isInferenceAvailable
 from lib.core.common import isNoneValue
 from lib.core.common import isNumPosStrValue
@ -309,30 +310,6 @@ class Users:

        return kb.data.cachedUsersPasswords

-    def __isAdminFromPrivileges(self, privileges):
-        # In PostgreSQL the usesuper privilege means that the
-        # user is DBA
-        dbaCondition = (Backend.isDbms(DBMS.PGSQL) and "super" in privileges)
-
-        # In Oracle the DBA privilege means that the
-        # user is DBA
-        dbaCondition |= (Backend.isDbms(DBMS.ORACLE) and "DBA" in privileges)
-
-        # In MySQL >= 5.0 the SUPER privilege means
-        # that the user is DBA
-        dbaCondition |= (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema and "SUPER" in privileges)
-
-        # In MySQL < 5.0 the super_priv privilege means
-        # that the user is DBA
-        dbaCondition |= (Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema and "super_priv" in privileges)
-
-        # In Firebird there is no specific privilege that means
-        # that the user is DBA
-        # TODO: confirm
-        dbaCondition |= (Backend.isDbms(DBMS.FIREBIRD) and "SELECT" in privileges and "INSERT" in privileges and "UPDATE" in privileges and "DELETE" in privileges and "REFERENCES" in privileges and "EXECUTE" in privileges)
-
-        return dbaCondition
-
    def getPrivileges(self, query2=False):
        infoMsg = "fetching database users privileges"

@ -441,7 +418,7 @@ class Users:

                                privileges.add(privilege)

-                    if self.__isAdminFromPrivileges(privileges):
+                    if isAdminFromPrivileges(privileges):
                        areAdmins.add(user)

                    if user in kb.data.cachedUsersPrivileges:
@ -579,7 +556,7 @@ class Users:

                        privileges.add(privilege)

-                    if self.__isAdminFromPrivileges(privileges):
+                    if isAdminFromPrivileges(privileges):
                        areAdmins.add(user)

                    # In MySQL < 5.0 we break the cycle after the first