CVE-2017-14396

This commit addresses an SQL injection vulnerability in ORM lookup function. * ORM implementation failed to properly quote fields, used in SQL statements, that might originate from unsanitized user input. * AttachmentFile lookup allowed for key based SQL injection by blindly delegating non-string lookup to ORM.

CVE-2017-14396
a5dcf86a · Peter Rotich · Peter Rotich · 9ee76ca0 · a5dcf86a · a5dcf86a
Commit a5dcf86a authored 7 years ago by Peter Rotich Committed by Peter Rotich 7 years ago
--- a/file.php
+++ b/file.php
@@ -21,7 +21,7 @@ require_once(INCLUDE_DIR.'class.file.php');
 if (!$_GET['key']
    || !$_GET['signature']
    || !$_GET['expires']
-    || !($file = AttachmentFile::lookup($_GET['key']))
+    || !($file = AttachmentFile::lookupByHash($_GET['key']))
 ) {
    Http::response(404, __('Unknown or invalid file'));
 }

--- a/include/class.file.php
+++ b/include/class.file.php
@@ -559,6 +559,10 @@ class AttachmentFile {
        return $id;
    }

+    function lookupByHash($hash) {
+        return self::lookup(AttachmentFile::getIdByHash($hash));
+    }
+
    function lookup($id) {

        $id = is_numeric($id)?$id:AttachmentFile::getIdByHash($id);

--- a/include/class.orm.php
+++ b/include/class.orm.php
@@ -875,7 +875,7 @@ class MySqlCompiler extends SqlCompiler {
    }

    function quote($what) {
-        return "`$what`";
+        return sprintf("`%s`", str_replace("`", "``", $what));
    }

    /**