Skip to content
Snippets Groups Projects
Commit 1eaa6910 authored by Peter Rotich's avatar Peter Rotich
Browse files

CVE-2017-14396 

This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.
parent d2ef3b1f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
file.php
+ 1
1
View file @ 1eaa6910
...@@ -21,7 +21,7 @@ require_once(INCLUDE_DIR.'class.file.php'); ...@@ -21,7 +21,7 @@ require_once(INCLUDE_DIR.'class.file.php');
if (!$_GET['key'] if (!$_GET['key']
|| !$_GET['signature'] || !$_GET['signature']
|| !$_GET['expires'] || !$_GET['expires']
|| !($file = AttachmentFile::lookup($_GET['key'])) || !($file = AttachmentFile::lookupByHash($_GET['key']))
) { ) {
Http::response(404, __('Unknown or invalid file')); Http::response(404, __('Unknown or invalid file'));
} }
......
include/class.orm.php
+ 1
1
View file @ 1eaa6910
...@@ -2601,7 +2601,7 @@ class MySqlCompiler extends SqlCompiler { ...@@ -2601,7 +2601,7 @@ class MySqlCompiler extends SqlCompiler {
} }
function quote($what) { function quote($what) {
return "`$what`"; return sprintf("`%s`", str_replace("`", "``", $what));
} }
/** /**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment