Merge remote-tracking branch 'GHSA-gf46-prm4-56pc/fix-advisory-3' int…

…o release/8.0.5
PrestaShop · Jul 19, 2023 · f82cb30 · f82cb30
2 parents 0691d08 + 79f352c
commit f82cb30
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/classes/RequestSql.php b/classes/RequestSql.php
@@ -65,6 +65,7 @@ class RequestSqlCore extends ObjectModel
             'RESET', 'START', 'STOP', 'PURGE', 'EXECUTE', 'PREPARE', 'DEALLOCATE', 'LOCK', 'USING', 'DROP', 'FOR', 'UPDATE', 'BEGIN', 'BY', 'ALL', 'SHARE',
             'MODE', 'TO', 'KEY', 'DISTINCTROW', 'DISTINCT',  'HIGH_PRIORITY', 'LOW_PRIORITY', 'DELAYED', 'IGNORE', 'FORCE', 'STRAIGHT_JOIN',
             'SQL_SMALL_RESULT', 'SQL_BIG_RESULT', 'QUICK', 'SQL_BUFFER_RESULT', 'SQL_CACHE', 'SQL_NO_CACHE', 'SQL_CALC_FOUND_ROWS', 'WITH',
+            'OUTFILE', 'DUMPFILE',
         ],
     ];
 

diff --git a/classes/db/Db.php b/classes/db/Db.php
@@ -603,7 +603,11 @@ public function executeS($sql, $array = true, $use_cache = true)
         }
 
         // This method must be used only with queries which display results
-        if (!preg_match('#^\s*\(?\s*(select|show|explain|describe|desc|checksum)\s#i', $sql)) {
+        if (
+            !preg_match('#^\s*\(?\s*(select|show|explain|describe|desc|checksum)\s#i', $sql)
+            || stripos($sql, 'outfile') !== false
+            || stripos($sql, 'dumpfile') !== false
+        ) {
             throw new PrestaShopDatabaseException('Db->executeS() must be used only with select, show, explain or describe queries');
         }