From e17d0cb5cf314a5bcd66a9bfee16e760ce26cde7 Mon Sep 17 00:00:00 2001
From: Sarah Hoffmann <lonvia@denofr.de>
Date: Mon, 9 Feb 2026 21:07:31 +0100
Subject: [PATCH] only allow alphanumeric and dash in DATABASE_WEBUSER

This variable is used a lot in raw SQL. Avoid injection issues.
---
 src/nominatim_db/config.py                | 7 ++++++-
 test/python/config/test_config.py         | 8 ++++----
 test/python/tools/test_database_import.py | 2 +-
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/nominatim_db/config.py b/src/nominatim_db/config.py
index 0742d019..2cda7892 100644
--- a/src/nominatim_db/config.py
+++ b/src/nominatim_db/config.py
@@ -2,7 +2,7 @@
 #
 # This file is part of Nominatim. (https://nominatim.org)
 #
-# Copyright (C) 2025 by the Nominatim developer community.
+# Copyright (C) 2026 by the Nominatim developer community.
 # For a full list of authors see the git log.
 """
 Nominatim configuration accessor.
@@ -12,6 +12,7 @@ import importlib.util
 import logging
 import os
 import sys
+import re
 from pathlib import Path
 import json
 import yaml
@@ -80,6 +81,10 @@ class Configuration:
         self.lib_dir = _LibDirs()
         self._private_plugins: Dict[str, object] = {}
 
+        if re.fullmatch(r'[\w-]+', self.DATABASE_WEBUSER) is None:
+            raise UsageError("Misconfigured DATABASE_WEBUSER. "
+                             "Only alphnumberic characters, - and _ are allowed.")
+
     def set_libdirs(self, **kwargs: StrPath) -> None:
         """ Set paths to library functions and data.
         """
diff --git a/test/python/config/test_config.py b/test/python/config/test_config.py
index 34e7acd7..555bc4e7 100644
--- a/test/python/config/test_config.py
+++ b/test/python/config/test_config.py
@@ -2,7 +2,7 @@
 #
 # This file is part of Nominatim. (https://nominatim.org)
 #
-# Copyright (C) 2025 by the Nominatim developer community.
+# Copyright (C) 2026 by the Nominatim developer community.
 # For a full list of authors see the git log.
 """
 Test for loading dotenv configuration.
@@ -68,13 +68,13 @@ def test_prefer_os_environ_over_project_setting(make_config, monkeypatch, tmp_pa
 
 def test_prefer_os_environ_can_unset_project_setting(make_config, monkeypatch, tmp_path):
     envfile = tmp_path / '.env'
-    envfile.write_text('NOMINATIM_DATABASE_WEBUSER=apache\n', encoding='utf-8')
+    envfile.write_text('NOMINATIM_OSM2PGSQL_BINARY=osm2pgsql\n', encoding='utf-8')
 
-    monkeypatch.setenv('NOMINATIM_DATABASE_WEBUSER', '')
+    monkeypatch.setenv('NOMINATIM_OSM2PGSQL_BINARY', '')
 
     config = make_config(tmp_path)
 
-    assert config.DATABASE_WEBUSER == ''
+    assert config.OSM2PGSQL_BINARY == ''
 
 
 def test_get_os_env_add_defaults(make_config, monkeypatch):
diff --git a/test/python/tools/test_database_import.py b/test/python/tools/test_database_import.py
index 6bae0389..eab747a5 100644
--- a/test/python/tools/test_database_import.py
+++ b/test/python/tools/test_database_import.py
@@ -62,7 +62,7 @@ class TestDatabaseSetup:
     def test_create_db_missing_ro_user(self):
         with pytest.raises(UsageError, match='Missing read-only user.'):
             database_import.setup_database_skeleton(f'dbname={self.DBNAME}',
-                                                    rouser='sdfwkjkjgdugu2;jgsafkljas;')
+                                                    rouser='sdfwkjkjgdugu2jgsafkljas')
 
     def test_setup_extensions_old_postgis(self, monkeypatch):
         monkeypatch.setattr(database_import, 'POSTGIS_REQUIRED_VERSION', (50, 50))