From 58481b88ebf4e545ede45d94314a6f7473709986 Mon Sep 17 00:00:00 2001 From: Dan Cross Date: Mon, 15 Oct 2018 18:19:54 +0000 Subject: [PATCH] Cleanup users.c. This started with using bounded operations on strings, and morphed to introducing a utility function to open the USERS SQLite3 database and then a general cleanup. This needs testing. Signed-off-by: Dan Cross --- src/users.c | 551 +++++++++++++++++++++------------------------------- 1 file changed, 226 insertions(+), 325 deletions(-) diff --git a/src/users.c b/src/users.c index b4a5eeb..9508e43 100644 --- a/src/users.c +++ b/src/users.c @@ -15,6 +15,18 @@ extern struct bbs_config conf; extern struct user_record *gUser; +static void open_users_db_or_die(sqlite3 **db) { + char buffer[PATH_MAX]; + snprintf(buffer, PATH_MAX, "%s/users.sq3", conf.bbs_path); + if (sqlite3_open(buffer, db) != SQLITE_OK) { + dolog("Cannot open database: %s", sqlite3_errmsg(*db)); + sqlite3_close(*db); + exit(1); + } + assert(db != NULL); + sqlite3_busy_timeout(*db, 5000); +} + char *hash_sha256(char *pass, char *salt) { char *buffer = NULL; char *shash = NULL; @@ -30,14 +42,13 @@ char *hash_sha256(char *pass, char *salt) { if (EVP_DigestInit_ex(context, EVP_sha256(), NULL)) { if (EVP_DigestUpdate(context, buffer, strlen(buffer))) { if (EVP_DigestFinal_ex(context, hash, &length_of_hash)) { - - shash = (char *)malloz(length_of_hash * 2 + 1); - for (i = 0; i < length_of_hash; i++) { - sprintf(shash + (i * 2), "%02x", (int)hash[i]); - } + stralloc shash = EMPTY_STRALLOC; + for (i = 0; i < length_of_hash; i++) + stralloc_cat_byte(&shash, hash[i]); + stralloc_0(&shash); EVP_MD_CTX_free(context); free(buffer); - return shash; + return shash.s; } } } @@ -87,55 +98,50 @@ static int secLevel(void *user, const char *section, const char *name, } int save_user(struct user_record *user) { - char buffer[PATH_MAX]; - sqlite3 *db; - sqlite3_stmt *res; - int rc; + sqlite3 *db = NULL; + sqlite3_stmt *res = NULL; + int rc = 0; - char *update_sql = "UPDATE users SET password=?, salt=?, firstname=?," - "lastname=?, email=?, location=?, sec_level=?, last_on=?, time_left=?, cur_mail_conf=?, cur_mail_area=?, cur_file_dir=?, cur_file_sub=?, times_on=?, bwavepktno=?, archiver=?, protocol=?,nodemsgs=?,codepage=?,exteditor=?,bwavestyle=?,signature=?,autosig=? where loginname LIKE ?"; + const char *update_sql = + "UPDATE users SET password=?, salt=?, firstname=?," + "lastname=?, email=?, location=?, sec_level=?, last_on=?, " + "time_left=?, cur_mail_conf=?, cur_mail_area=?, " + "cur_file_dir=?, cur_file_sub=?, times_on=?, bwavepktno=?, " + "archiver=?, protocol=?,nodemsgs=?,codepage=?,exteditor=?," + "bwavestyle=?,signature=?,autosig=? where loginname LIKE ?"; - snprintf(buffer, PATH_MAX, "%s/users.sq3", conf.bbs_path); - - rc = sqlite3_open(buffer, &db); + open_users_db_or_die(&db); + rc = sqlite3_prepare_v2(db, update_sql, -1, &res, 0); if (rc != SQLITE_OK) { - dolog("Cannot open database: %s", sqlite3_errmsg(db)); + dolog("Failed to prepare statement: %s", sqlite3_errmsg(db)); sqlite3_close(db); - exit(1); } - sqlite3_busy_timeout(db, 5000); - rc = sqlite3_prepare_v2(db, update_sql, -1, &res, 0); - - if (rc == SQLITE_OK) { - sqlite3_bind_text(res, 1, user->password, -1, 0); - sqlite3_bind_text(res, 2, user->salt, -1, 0); - sqlite3_bind_text(res, 3, user->firstname, -1, 0); - sqlite3_bind_text(res, 4, user->lastname, -1, 0); - sqlite3_bind_text(res, 5, user->email, -1, 0); - sqlite3_bind_text(res, 6, user->location, -1, 0); - sqlite3_bind_int(res, 7, user->sec_level); - sqlite3_bind_int(res, 8, user->laston); - sqlite3_bind_int(res, 9, user->timeleft); - sqlite3_bind_int(res, 10, user->cur_mail_conf); - sqlite3_bind_int(res, 11, user->cur_mail_area); - sqlite3_bind_int(res, 12, user->cur_file_dir); - sqlite3_bind_int(res, 13, user->cur_file_sub); - sqlite3_bind_int(res, 14, user->timeson); - sqlite3_bind_int(res, 15, user->bwavepktno); - sqlite3_bind_int(res, 16, user->defarchiver); - sqlite3_bind_int(res, 17, user->defprotocol); - sqlite3_bind_int(res, 18, user->nodemsgs); - sqlite3_bind_int(res, 19, user->codepage); - sqlite3_bind_int(res, 20, user->exteditor); - sqlite3_bind_int(res, 21, user->bwavestyle); - sqlite3_bind_text(res, 22, user->signature, -1, 0); - sqlite3_bind_int(res, 23, user->autosig); - sqlite3_bind_text(res, 24, user->loginname, -1, 0); - } else { - dolog("Failed to execute statement: %s", sqlite3_errmsg(db)); - } + sqlite3_bind_text(res, 1, user->password, -1, 0); + sqlite3_bind_text(res, 2, user->salt, -1, 0); + sqlite3_bind_text(res, 3, user->firstname, -1, 0); + sqlite3_bind_text(res, 4, user->lastname, -1, 0); + sqlite3_bind_text(res, 5, user->email, -1, 0); + sqlite3_bind_text(res, 6, user->location, -1, 0); + sqlite3_bind_int(res, 7, user->sec_level); + sqlite3_bind_int(res, 8, user->laston); + sqlite3_bind_int(res, 9, user->timeleft); + sqlite3_bind_int(res, 10, user->cur_mail_conf); + sqlite3_bind_int(res, 11, user->cur_mail_area); + sqlite3_bind_int(res, 12, user->cur_file_dir); + sqlite3_bind_int(res, 13, user->cur_file_sub); + sqlite3_bind_int(res, 14, user->timeson); + sqlite3_bind_int(res, 15, user->bwavepktno); + sqlite3_bind_int(res, 16, user->defarchiver); + sqlite3_bind_int(res, 17, user->defprotocol); + sqlite3_bind_int(res, 18, user->nodemsgs); + sqlite3_bind_int(res, 19, user->codepage); + sqlite3_bind_int(res, 20, user->exteditor); + sqlite3_bind_int(res, 21, user->bwavestyle); + sqlite3_bind_text(res, 22, user->signature, -1, 0); + sqlite3_bind_int(res, 23, user->autosig); + sqlite3_bind_text(res, 24, user->loginname, -1, 0); rc = sqlite3_step(res); if (rc != SQLITE_DONE) { @@ -150,29 +156,19 @@ int save_user(struct user_record *user) { } int msgbase_flag_unflag(struct user_record *user, int conference, int msgbase, int msgid) { - sqlite3 *db; - sqlite3_stmt *res; - int rc; - char buffer[PATH_MAX]; - char *create_sql = "CREATE TABLE IF NOT EXISTS msg_flags (conference INTEGER, msgbase INTEGER, uid INTEGER, msg INTEGER);"; - char *flag_buf = "INSERT INTO msg_flags (conference, msgbase, uid, msg) VALUES(?, ?, ?, ?)"; - char *unflag_buf = "DELETE FROM msg_flags WHERE conference=? AND msgbase=? AND uid=? AND msg=?"; - char *err_msg = 0; + sqlite3 *db = NULL; + sqlite3_stmt *res = NULL; + int rc = 0; + char *err_msg = NULL; int flagunflag = 0; + static const char *create_sql = + "CREATE TABLE IF NOT EXISTS msg_flags (conference INTEGER, msgbase INTEGER, uid INTEGER, msg INTEGER);"; + flagunflag = msgbase_is_flagged(user, conference, msgbase, msgid); - snprintf(buffer, PATH_MAX, "%s/users.sq3", conf.bbs_path); + open_users_db_or_die(&db); - rc = sqlite3_open(buffer, &db); - - if (rc != SQLITE_OK) { - dolog("Cannot open database: %s", sqlite3_errmsg(db)); - sqlite3_close(db); - - return 0; - } - sqlite3_busy_timeout(db, 5000); rc = sqlite3_exec(db, create_sql, 0, 0, &err_msg); if (rc != SQLITE_OK) { @@ -184,8 +180,12 @@ int msgbase_flag_unflag(struct user_record *user, int conference, int msgbase, i return 0; } if (flagunflag == 1) { + static const char *unflag_buf = + "DELETE FROM msg_flags WHERE conference=? AND msgbase=? AND uid=? AND msg=?"; rc = sqlite3_prepare_v2(db, unflag_buf, -1, &res, 0); } else { + static const char *flag_buf = + "INSERT INTO msg_flags (conference, msgbase, uid, msg) VALUES(?, ?, ?, ?)"; rc = sqlite3_prepare_v2(db, flag_buf, -1, &res, 0); } @@ -203,27 +203,16 @@ int msgbase_flag_unflag(struct user_record *user, int conference, int msgbase, i } int msgbase_is_flagged(struct user_record *user, int conference, int msgbase, int msgid) { - sqlite3 *db; - sqlite3_stmt *res; - int rc; - char buffer[PATH_MAX]; + sqlite3 *db = NULL; + sqlite3_stmt *res = NULL; + int rc = 0; - char *sql_buf = "SELECT * FROM msg_flags WHERE conference=? AND msgbase=? AND uid=? AND msg=?"; + static const char *sql_buf = + "SELECT * FROM msg_flags WHERE conference=? AND msgbase=? AND uid=? AND msg=?"; - snprintf(buffer, PATH_MAX, "%s/users.sq3", conf.bbs_path); - - rc = sqlite3_open(buffer, &db); - - if (rc != SQLITE_OK) { - dolog("Cannot open database: %s", sqlite3_errmsg(db)); - sqlite3_close(db); - - exit(1); - } - sqlite3_busy_timeout(db, 5000); + open_users_db_or_die(&db); rc = sqlite3_prepare_v2(db, sql_buf, -1, &res, 0); - if (rc != SQLITE_OK) { sqlite3_close(db); return 0; @@ -245,42 +234,30 @@ int msgbase_is_flagged(struct user_record *user, int conference, int msgbase, in } int msgbase_sub_unsub(int conference, int msgbase) { - sqlite3 *db; - sqlite3_stmt *res; - int rc; - char buffer[PATH_MAX]; - char *create_sql = "CREATE TABLE IF NOT EXISTS msg_subs (conference INTEGER, msgbase INTEGER, uid INTEGER);"; - char *sub_buf = "INSERT INTO msg_subs (conference, msgbase, uid) VALUES(?, ?, ?)"; - char *unsub_buf = "DELETE FROM msg_subs WHERE conference=? AND msgbase=? AND uid=?"; - char *err_msg = 0; - int subunsub = 0; + sqlite3 *db = NULL; + sqlite3_stmt *res = NULL; + int rc = 0; + static const char *create_sql = + "CREATE TABLE IF NOT EXISTS msg_subs (conference INTEGER, msgbase INTEGER, uid INTEGER);"; + char *err_msg = NULL; + int subunsub = msgbase_is_subscribed(conference, msgbase); - subunsub = msgbase_is_subscribed(conference, msgbase); + open_users_db_or_die(&db); - snprintf(buffer, PATH_MAX, "%s/users.sq3", conf.bbs_path); - - rc = sqlite3_open(buffer, &db); - - if (rc != SQLITE_OK) { - dolog("Cannot open database: %s", sqlite3_errmsg(db)); - sqlite3_close(db); - - return 0; - } - sqlite3_busy_timeout(db, 5000); rc = sqlite3_exec(db, create_sql, 0, 0, &err_msg); if (rc != SQLITE_OK) { - dolog("SQL error: %s", err_msg); - sqlite3_free(err_msg); sqlite3_close(db); - return 0; } if (subunsub == 1) { + static char *unsub_buf = + "DELETE FROM msg_subs WHERE conference=? AND msgbase=? AND uid=?"; rc = sqlite3_prepare_v2(db, unsub_buf, -1, &res, 0); } else { + static const char *sub_buf = + "INSERT INTO msg_subs (conference, msgbase, uid) VALUES(?, ?, ?)"; rc = sqlite3_prepare_v2(db, sub_buf, -1, &res, 0); } @@ -297,27 +274,16 @@ int msgbase_sub_unsub(int conference, int msgbase) { } int msgbase_is_subscribed(int conference, int msgbase) { - sqlite3 *db; - sqlite3_stmt *res; - int rc; - char buffer[PATH_MAX]; + sqlite3 *db = NULL; + sqlite3_stmt *res = NULL; + int rc = 0; - char *sql_buf = "SELECT * FROM msg_subs WHERE conference=? AND msgbase=? AND uid=?"; + static const char *sql_buf = + "SELECT * FROM msg_subs WHERE conference=? AND msgbase=? AND uid=?"; - snprintf(buffer, PATH_MAX, "%s/users.sq3", conf.bbs_path); - - rc = sqlite3_open(buffer, &db); - - if (rc != SQLITE_OK) { - dolog("Cannot open database: %s", sqlite3_errmsg(db)); - sqlite3_close(db); - - exit(1); - } - sqlite3_busy_timeout(db, 5000); + open_users_db_or_die(&db); rc = sqlite3_prepare_v2(db, sql_buf, -1, &res, 0); - if (rc != SQLITE_OK) { sqlite3_close(db); return 0; @@ -334,15 +300,18 @@ int msgbase_is_subscribed(int conference, int msgbase) { } sqlite3_finalize(res); sqlite3_close(db); + return 1; } int inst_user(struct user_record *user) { - char buffer[PATH_MAX]; - sqlite3 *db; - sqlite3_stmt *res; - int rc; - char *create_sql = "CREATE TABLE IF NOT EXISTS users (" + sqlite3 *db = NULL; + sqlite3_stmt *res = NULL; + char *err_msg = NULL; + int rc = 0; + + static const char *create_sql = + "CREATE TABLE IF NOT EXISTS users (" "Id INTEGER PRIMARY KEY," "loginname TEXT COLLATE NOCASE," "password TEXT," @@ -369,67 +338,56 @@ int inst_user(struct user_record *user) { "signature TEXT," "autosig INTEGER);"; - char *insert_sql = "INSERT INTO users (loginname, password, salt, firstname," - "lastname, email, location, sec_level, last_on, time_left, cur_mail_conf, cur_mail_area, cur_file_dir, cur_file_sub, times_on, bwavepktno, archiver, protocol, nodemsgs, codepage, exteditor, bwavestyle, signature, autosig) VALUES(?,?, ?,?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"; - char *err_msg = 0; + static const char *insert_sql = + "INSERT INTO users (loginname, password, salt, firstname," + "lastname, email, location, sec_level, last_on, time_left, " + "cur_mail_conf, cur_mail_area, cur_file_dir, cur_file_sub, " + "times_on, bwavepktno, archiver, protocol, nodemsgs, " + "codepage, exteditor, bwavestyle, signature, autosig) " + "VALUES(?,?, ?,?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"; - snprintf(buffer, PATH_MAX, "%s/users.sq3", conf.bbs_path); + open_users_db_or_die(&db); - rc = sqlite3_open(buffer, &db); - - if (rc != SQLITE_OK) { - dolog("Cannot open database: %s", sqlite3_errmsg(db)); - sqlite3_close(db); - - exit(1); - } - sqlite3_busy_timeout(db, 5000); rc = sqlite3_exec(db, create_sql, 0, 0, &err_msg); if (rc != SQLITE_OK) { - dolog("SQL error: %s", err_msg); - sqlite3_free(err_msg); sqlite3_close(db); - exit(1); } rc = sqlite3_prepare_v2(db, insert_sql, -1, &res, 0); - - if (rc == SQLITE_OK) { - sqlite3_bind_text(res, 1, user->loginname, -1, 0); - sqlite3_bind_text(res, 2, user->password, -1, 0); - sqlite3_bind_text(res, 3, user->salt, -1, 0); - sqlite3_bind_text(res, 4, user->firstname, -1, 0); - sqlite3_bind_text(res, 5, user->lastname, -1, 0); - sqlite3_bind_text(res, 6, user->email, -1, 0); - sqlite3_bind_text(res, 7, user->location, -1, 0); - sqlite3_bind_int(res, 8, user->sec_level); - sqlite3_bind_int(res, 9, user->laston); - sqlite3_bind_int(res, 10, user->timeleft); - sqlite3_bind_int(res, 11, user->cur_mail_conf); - sqlite3_bind_int(res, 12, user->cur_mail_area); - sqlite3_bind_int(res, 13, user->cur_file_dir); - sqlite3_bind_int(res, 14, user->cur_file_sub); - sqlite3_bind_int(res, 15, user->timeson); - sqlite3_bind_int(res, 16, user->bwavepktno); - sqlite3_bind_int(res, 17, user->defarchiver); - sqlite3_bind_int(res, 18, user->defprotocol); - sqlite3_bind_int(res, 19, user->nodemsgs); - sqlite3_bind_int(res, 20, user->codepage); - sqlite3_bind_int(res, 21, user->exteditor); - sqlite3_bind_int(res, 22, user->bwavestyle); - sqlite3_bind_text(res, 23, user->signature, -1, 0); - sqlite3_bind_int(res, 24, user->autosig); - } else { + if (rc != SQLITE_OK) { dolog("Failed to execute statement: %s", sqlite3_errmsg(db)); sqlite3_close(db); exit(1); } + sqlite3_bind_text(res, 1, user->loginname, -1, 0); + sqlite3_bind_text(res, 2, user->password, -1, 0); + sqlite3_bind_text(res, 3, user->salt, -1, 0); + sqlite3_bind_text(res, 4, user->firstname, -1, 0); + sqlite3_bind_text(res, 5, user->lastname, -1, 0); + sqlite3_bind_text(res, 6, user->email, -1, 0); + sqlite3_bind_text(res, 7, user->location, -1, 0); + sqlite3_bind_int(res, 8, user->sec_level); + sqlite3_bind_int(res, 9, user->laston); + sqlite3_bind_int(res, 10, user->timeleft); + sqlite3_bind_int(res, 11, user->cur_mail_conf); + sqlite3_bind_int(res, 12, user->cur_mail_area); + sqlite3_bind_int(res, 13, user->cur_file_dir); + sqlite3_bind_int(res, 14, user->cur_file_sub); + sqlite3_bind_int(res, 15, user->timeson); + sqlite3_bind_int(res, 16, user->bwavepktno); + sqlite3_bind_int(res, 17, user->defarchiver); + sqlite3_bind_int(res, 18, user->defprotocol); + sqlite3_bind_int(res, 19, user->nodemsgs); + sqlite3_bind_int(res, 20, user->codepage); + sqlite3_bind_int(res, 21, user->exteditor); + sqlite3_bind_int(res, 22, user->bwavestyle); + sqlite3_bind_text(res, 23, user->signature, -1, 0); + sqlite3_bind_int(res, 24, user->autosig); rc = sqlite3_step(res); - if (rc != SQLITE_DONE) { dolog("execution failed: %s", sqlite3_errmsg(db)); sqlite3_close(db); @@ -440,114 +398,103 @@ int inst_user(struct user_record *user) { sqlite3_finalize(res); sqlite3_close(db); + return 1; } struct user_record *check_user_pass(char *loginname, char *password) { - struct user_record *user; - char buffer[1024]; - sqlite3 *db; - sqlite3_stmt *res; - int rc; - char *sql = "SELECT Id, loginname, password, salt, firstname," - "lastname, email, location, sec_level, last_on, time_left, cur_mail_conf, cur_mail_area, cur_file_dir, cur_file_sub, times_on, bwavepktno, archiver, protocol,nodemsgs, codepage, exteditor, bwavestyle, signature, autosig FROM users WHERE loginname LIKE ?"; - char *pass_hash; + sqlite3 *db = NULL; + sqlite3_stmt *res = NULL; + int rc = NULL; + int pass_ok = 0; + char pathbuf[PATH_MAX]; - sprintf(buffer, "%s/users.sq3", conf.bbs_path); + static const char *sql = + "SELECT Id, loginname, password, salt, firstname," + "lastname, email, location, sec_level, last_on, time_left, " + "cur_mail_conf, cur_mail_area, cur_file_dir, cur_file_sub, " + "times_on, bwavepktno, archiver, protocol,nodemsgs, " + "codepage, exteditor, bwavestyle, signature, autosig " + "FROM users WHERE loginname LIKE ?"; - rc = sqlite3_open(buffer, &db); - if (rc != SQLITE_OK) { - dolog("Cannot open database: %s", sqlite3_errmsg(db)); - sqlite3_close(db); - - exit(1); - } - sqlite3_busy_timeout(db, 5000); + open_users_db_or_die(&db); rc = sqlite3_prepare_v2(db, sql, -1, &res, 0); - - if (rc == SQLITE_OK) { - sqlite3_bind_text(res, 1, loginname, -1, 0); - } else { + if (rc != SQLITE_OK) { dolog("Failed to execute statement: %s", sqlite3_errmsg(db)); sqlite3_finalize(res); sqlite3_close(db); return NULL; } - + sqlite3_bind_text(res, 1, loginname, -1, 0); int step = sqlite3_step(res); - - if (step == SQLITE_ROW) { - user = (struct user_record *)malloz(sizeof(struct user_record)); - user->id = sqlite3_column_int(res, 0); - user->loginname = strdup((char *)sqlite3_column_text(res, 1)); - user->password = strdup((char *)sqlite3_column_text(res, 2)); - user->salt = strdup((char *)sqlite3_column_text(res, 3)); - user->firstname = strdup((char *)sqlite3_column_text(res, 4)); - user->lastname = strdup((char *)sqlite3_column_text(res, 5)); - user->email = strdup((char *)sqlite3_column_text(res, 6)); - user->location = strdup((char *)sqlite3_column_text(res, 7)); - user->sec_level = sqlite3_column_int(res, 8); - user->laston = (time_t)sqlite3_column_int(res, 9); - user->timeleft = sqlite3_column_int(res, 10); - user->cur_mail_conf = sqlite3_column_int(res, 11); - user->cur_mail_area = sqlite3_column_int(res, 12); - user->cur_file_dir = sqlite3_column_int(res, 13); - user->cur_file_sub = sqlite3_column_int(res, 14); - user->timeson = sqlite3_column_int(res, 15); - user->bwavepktno = sqlite3_column_int(res, 16); - user->defarchiver = sqlite3_column_int(res, 17); - user->defprotocol = sqlite3_column_int(res, 18); - user->nodemsgs = sqlite3_column_int(res, 19); - user->codepage = sqlite3_column_int(res, 20); - user->exteditor = sqlite3_column_int(res, 21); - user->bwavestyle = sqlite3_column_int(res, 22); - user->signature = strdup((char *)sqlite3_column_text(res, 23)); - user->autosig = sqlite3_column_int(res, 24); - pass_hash = hash_sha256(password, user->salt); - - if (strcmp(pass_hash, user->password) != 0) { - free(user->loginname); - free(user->firstname); - free(user->lastname); - free(user->email); - free(user->location); - free(user->salt); - free(user->signature); - free(user); - free(pass_hash); - sqlite3_finalize(res); - sqlite3_close(db); - return NULL; - } - free(pass_hash); - } else { + if (step != SQLITE_ROW) { sqlite3_finalize(res); sqlite3_close(db); return NULL; } + struct user_record *user = malloz(sizeof(struct user_record)); + user->id = sqlite3_column_int(res, 0); + user->loginname = strdup((char *)sqlite3_column_text(res, 1)); + user->password = strdup((char *)sqlite3_column_text(res, 2)); + user->salt = strdup((char *)sqlite3_column_text(res, 3)); + user->firstname = strdup((char *)sqlite3_column_text(res, 4)); + user->lastname = strdup((char *)sqlite3_column_text(res, 5)); + user->email = strdup((char *)sqlite3_column_text(res, 6)); + user->location = strdup((char *)sqlite3_column_text(res, 7)); + user->sec_level = sqlite3_column_int(res, 8); + user->laston = (time_t)sqlite3_column_int(res, 9); + user->timeleft = sqlite3_column_int(res, 10); + user->cur_mail_conf = sqlite3_column_int(res, 11); + user->cur_mail_area = sqlite3_column_int(res, 12); + user->cur_file_dir = sqlite3_column_int(res, 13); + user->cur_file_sub = sqlite3_column_int(res, 14); + user->timeson = sqlite3_column_int(res, 15); + user->bwavepktno = sqlite3_column_int(res, 16); + user->defarchiver = sqlite3_column_int(res, 17); + user->defprotocol = sqlite3_column_int(res, 18); + user->nodemsgs = sqlite3_column_int(res, 19); + user->codepage = sqlite3_column_int(res, 20); + user->exteditor = sqlite3_column_int(res, 21); + user->bwavestyle = sqlite3_column_int(res, 22); + user->signature = strdup((char *)sqlite3_column_text(res, 23)); + user->autosig = sqlite3_column_int(res, 24); + char *pass_hash = hash_sha256(password, user->salt); + + if (strcmp(pass_hash, user->password) != 0) { + free(user->loginname); + free(user->firstname); + free(user->lastname); + free(user->email); + free(user->location); + free(user->salt); + free(user->signature); + free(user); + free(pass_hash); + sqlite3_finalize(res); + sqlite3_close(db); + return NULL; + } + free(pass_hash); sqlite3_finalize(res); sqlite3_close(db); user->sec_info = (struct sec_level_t *)malloz(sizeof(struct sec_level_t)); - snprintf(buffer, 1024, "%s/s%d.ini", conf.config_path, user->sec_level); - if (ini_parse(buffer, secLevel, user->sec_info) < 0) { - dolog("Unable to load sec Level ini (%s)!", buffer); + snprintf(pathbuf, sizeof pathbuf, "%s/s%d.ini", conf.config_path, user->sec_level); + if (ini_parse(pathbuf, secLevel, user->sec_info) < 0) { + dolog("Unable to load sec Level ini (%s)!", pathbuf); exit(-1); } - if (user->cur_mail_conf >= conf.mail_conference_count) { user->cur_mail_conf = 0; } if (user->cur_file_dir >= conf.file_directory_count) { user->cur_file_dir = 0; } - if (user->cur_mail_area >= conf.mail_conferences[user->cur_mail_conf]->mail_area_count) { user->cur_mail_area = 0; } - if (user->cur_file_sub >= conf.file_directories[user->cur_file_dir]->file_sub_count) { user->cur_file_sub = 0; } @@ -556,24 +503,14 @@ struct user_record *check_user_pass(char *loginname, char *password) { } void list_users(struct user_record *user) { - char buffer[256]; - sqlite3 *db; - sqlite3_stmt *res; - int rc; - int i; + sqlite3 *db = NULL; + sqlite3_stmt *res = NULL; + int rc = 0; - char *sql = "SELECT loginname,location,times_on FROM users"; + static const char *sql = "SELECT loginname,location,times_on FROM users"; - sprintf(buffer, "%s/users.sq3", conf.bbs_path); + open_users_db_or_die(&db); - rc = sqlite3_open(buffer, &db); - - if (rc != SQLITE_OK) { - dolog("Cannot open database: %s", sqlite3_errmsg(db)); - sqlite3_close(db); - exit(1); - } - sqlite3_busy_timeout(db, 5000); rc = sqlite3_prepare_v2(db, sql, -1, &res, 0); if (rc != SQLITE_OK) { dolog("Cannot prepare statement: %s", sqlite3_errmsg(db)); @@ -583,11 +520,8 @@ void list_users(struct user_record *user) { s_printf(get_string(161)); s_printf(get_string(162)); s_printf(get_string(163)); - i = 0; - while (sqlite3_step(res) == SQLITE_ROW) { + for (int i = 0; sqlite3_step(res) == SQLITE_ROW; ++i) { s_printf(get_string(164), sqlite3_column_text(res, 0), sqlite3_column_text(res, 1), sqlite3_column_int(res, 2)); - - i++; if (i == 20) { s_printf(get_string(6)); s_getc(); @@ -603,82 +537,49 @@ void list_users(struct user_record *user) { } int check_fullname(char *firstname, char *lastname) { - char buffer[256]; - sqlite3 *db; - sqlite3_stmt *res; - int rc; - char *sql = "SELECT * FROM users WHERE firstname = ? AND lastname = ?"; + sqlite3 *db = NULL; + sqlite3_stmt *res = NULL; + int rc = 0; - sprintf(buffer, "%s/users.sq3", conf.bbs_path); + static const char *sql = + "SELECT * FROM users WHERE firstname = ? AND lastname = ?"; - rc = sqlite3_open(buffer, &db); - - if (rc != SQLITE_OK) { - dolog("Cannot open database: %s", sqlite3_errmsg(db)); - sqlite3_close(db); - - exit(1); - } - sqlite3_busy_timeout(db, 5000); + open_users_db_or_die(&db); rc = sqlite3_prepare_v2(db, sql, -1, &res, 0); - - if (rc == SQLITE_OK) { - sqlite3_bind_text(res, 1, firstname, -1, 0); - sqlite3_bind_text(res, 2, lastname, -1, 0); - } else { - dolog("Failed to execute statement: %s", sqlite3_errmsg(db)); - } - - int step = sqlite3_step(res); - - if (step == SQLITE_ROW) { - sqlite3_finalize(res); + if (rc != SQLITE_OK) { + dolog("Failed to prepare statement: %s", sqlite3_errmsg(db)); sqlite3_close(db); return 0; } - + sqlite3_bind_text(res, 1, firstname, -1, 0); + sqlite3_bind_text(res, 2, lastname, -1, 0); + int step = sqlite3_step(res); sqlite3_finalize(res); sqlite3_close(db); - return 1; + + return (step == SQLITE_ROW); } int check_user(char *loginname) { - char buffer[256]; - sqlite3 *db; - sqlite3_stmt *res; - int rc; - char *sql = "SELECT * FROM users WHERE loginname = ?"; + sqlite3 *db = NULL; + sqlite3_stmt *res = NULL; + int rc = 0; - sprintf(buffer, "%s/users.sq3", conf.bbs_path); + static const char *sql = "SELECT * FROM users WHERE loginname = ?"; - rc = sqlite3_open(buffer, &db); - - if (rc != SQLITE_OK) { - dolog("Cannot open database: %s", sqlite3_errmsg(db)); - sqlite3_close(db); - - exit(1); - } - sqlite3_busy_timeout(db, 5000); + open_users_db_or_die(&db); rc = sqlite3_prepare_v2(db, sql, -1, &res, 0); - - if (rc == SQLITE_OK) { - sqlite3_bind_text(res, 1, loginname, -1, 0); - } else { + if (rc != SQLITE_OK) { dolog("Failed to execute statement: %s", sqlite3_errmsg(db)); - } - - int step = sqlite3_step(res); - - if (step == SQLITE_ROW) { - sqlite3_finalize(res); sqlite3_close(db); - return 0; + return 1; } - + sqlite3_bind_text(res, 1, loginname, -1, 0); + int step = sqlite3_step(res); sqlite3_finalize(res); sqlite3_close(db); - return 1; + + return (step != SQLITE_ROW); } struct user_record *new_user() { @@ -710,8 +611,8 @@ struct user_record *new_user() { s_printf(get_string(240)); continue; } - for (i = 0; i < strlen(buffer); i++) { - if (!(tolower(buffer[i]) >= 97 && tolower(buffer[i]) <= 122) && buffer[i] != 32 && !(buffer[i] >= '0' && buffer[i] <= '9')) { + for (const char *p = buffer; *p != '\0'; ++p) { + if (!(tolower(*p) >= 97 && tolower(*p) <= 122) && *p != 32 && !(*p >= '0' && *p <= '9')) { s_printf(get_string(168)); nameok = 1; break;