mucked with host table authorization checks...

diff --git a/server/qsetup.dc b/server/qsetup.dc
index 450619fd81b02ce4755d3ee764147aeb22198514..3e2c45e12928343cd909a325a10896eedca09a10 100644 (file)
--- a/server/qsetup.dc
+++ b/server/qsetup.dc
@@ -911,6 +911,51 @@ setup_ahst(q,argv,cl)
        if (*(p-1) == '-') return(MR_BAD_CHAR);
     }
 
+    /* sanity check host vendor: must start with a letter, contain only
+     * letters, numerals, and hyphen, and end with an alphanumeric.
+     */
+    if (*argv[row+1] && (row == 0 || strcmp(argv[2], cl->args->mr_argv[2]))) {
+       char *p = argv[row+1];
+
+       if (!isalpha(*p)) return(MR_BAD_CHAR);
+       for (; *p; p++) {
+           if ((!isalnum(*p) && *p != '-' && *p != '.') ||
+               (*p == '-' && p[1] == '.'))
+             return(MR_BAD_CHAR);
+       }
+       if (!isalnum(*(p-1))) return(MR_BAD_CHAR);
+    }
+
+    /* sanity check host type: must start with a letter, contain only
+     * letters, numerals, and hyphen, and end with an alphanumeric.
+     */
+    if (*argv[row+2] && (row == 0 || strcmp(argv[3], cl->args->mr_argv[3]))) {
+       char *p = argv[row+2];
+
+       if (!isalpha(*p)) return(MR_BAD_CHAR);
+       for (; *p; p++) {
+           if ((!isalnum(*p) && *p != '-' && *p != '.') ||
+               (*p == '-' && p[1] == '.'))
+             return(MR_BAD_CHAR);
+       }
+       if (!isalnum(*(p-1))) return(MR_BAD_CHAR);
+    }
+
+    /* sanity check host vendor: must start with a letter, contain only
+     * letters, numerals, and hyphen, and end with an hyphen alphanumeric.
+     */
+    if (*argv[row+3] && (row == 0 || strcmp(argv[4], cl->args->mr_argv[4]))) {
+       char *p = argv[row+3];
+
+       if (!isalpha(*p)) return(MR_BAD_CHAR);
+       for (; *p; p++) {
+           if ((!isalnum(*p) && *p != '-' && *p != '.') ||
+               (*p == '-' && p[1] == '.'))
+             return(MR_BAD_CHAR);
+       }
+       if (!isalnum(*(p-1))) return(MR_BAD_CHAR);
+    }
+
     /* check for duplicate name */
     name = argv[row];
     EXEC SQL SELECT count(mach_id) INTO :cnt FROM hostalias
@@ -1002,16 +1047,17 @@ setup_ahst(q,argv,cl)
          acomment, use, snet_id, ocomment INTO :s6, :i8, :s10, :s11, :i12,
          :i13, :i7, :i9, :i14 FROM machine WHERE mach_id = :id;
        if (ingres_errno) return(mr_errcode);
-       /* subnet owner cannot change use or ocomment */
-       if ((i7 != atoi(argv[7])) || (i14 != *(int *)argv[14]))
+       /* subnet owner cannot change use, comment, or network */
+       if ((i7 != atoi(argv[7])) || (i14 != *(int *)argv[14]) ||
+            (i9 != *(int *)argv[9]))
          return(MR_PERM);
        /* host owner cannot change contact, status, address, owner_type,
         * owner_id, acomment, or subnet */
        if (host_access_level == 2 &&
            (strcmp(argv[6], strtrim(s6)) || (i8 != atoi(argv[8])) ||
-            strcmp(argv[10], strtrim(s10)) || strcmp(argv[11], strtrim(s11)) ||
+            strcmp(argv[10], strtrim(s10)) ||strcmp(argv[11], strtrim(s11)) ||
             (i12 != *(int *)argv[12]) || (i13 != *(int *)argv[13]) ||
-            (i9 = *(int *)argv[9])))
+            (i9 != *(int *)argv[9])))
          return(MR_PERM);
     }