From 1eaa69103a3fbed6cdfb58578e1a917724f7c147 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Thu, 14 Sep 2017 03:17:06 +0000
Subject: [PATCH] CVE-2017-14396

This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.
---
 file.php              | 2 +-
 include/class.orm.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/file.php b/file.php
index ed0a4465e..33ffec5ff 100644
--- a/file.php
+++ b/file.php
@@ -21,7 +21,7 @@ require_once(INCLUDE_DIR.'class.file.php');
 if (!$_GET['key']
     || !$_GET['signature']
     || !$_GET['expires']
-    || !($file = AttachmentFile::lookup($_GET['key']))
+    || !($file = AttachmentFile::lookupByHash($_GET['key']))
 ) {
     Http::response(404, __('Unknown or invalid file'));
 }
diff --git a/include/class.orm.php b/include/class.orm.php
index 1f37f679b..7539c1445 100644
--- a/include/class.orm.php
+++ b/include/class.orm.php
@@ -2601,7 +2601,7 @@ class MySqlCompiler extends SqlCompiler {
     }
 
     function quote($what) {
-        return "`$what`";
+        return sprintf("`%s`", str_replace("`", "``", $what));
     }
 
     /**
-- 
GitLab