From a5dcf86a9ef4680cce25f36cf5e8f65b27743842 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Thu, 14 Sep 2017 03:17:06 +0000
Subject: [PATCH] CVE-2017-14396

This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.
---
 file.php               | 2 +-
 include/class.file.php | 4 ++++
 include/class.orm.php  | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/file.php b/file.php
index 22cc8094b..1bc44823b 100644
--- a/file.php
+++ b/file.php
@@ -21,7 +21,7 @@ require_once(INCLUDE_DIR.'class.file.php');
 if (!$_GET['key']
     || !$_GET['signature']
     || !$_GET['expires']
-    || !($file = AttachmentFile::lookup($_GET['key']))
+    || !($file = AttachmentFile::lookupByHash($_GET['key']))
 ) {
     Http::response(404, __('Unknown or invalid file'));
 }
diff --git a/include/class.file.php b/include/class.file.php
index 8b65e36a7..61c4e84a9 100644
--- a/include/class.file.php
+++ b/include/class.file.php
@@ -559,6 +559,10 @@ class AttachmentFile {
         return $id;
     }
 
+    function lookupByHash($hash) {
+        return self::lookup(AttachmentFile::getIdByHash($hash));
+    }
+
     function lookup($id) {
 
         $id = is_numeric($id)?$id:AttachmentFile::getIdByHash($id);
diff --git a/include/class.orm.php b/include/class.orm.php
index e7e54d95e..82187f0a0 100644
--- a/include/class.orm.php
+++ b/include/class.orm.php
@@ -875,7 +875,7 @@ class MySqlCompiler extends SqlCompiler {
     }
 
     function quote($what) {
-        return "`$what`";
+        return sprintf("`%s`", str_replace("`", "``", $what));
     }
 
     /**
-- 
GitLab