[SECURITY] Prevent possible SQL injection through IpAddress GET param…

…eter Related: https://projekte.in2code.de/issues/57061
in2code-de · May 28, 2023 · d80eb99 · d80eb99
1 parent 28c55ba
commit d80eb99
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/Classes/Domain/Service/IpToCountry/LocalDatabase.php b/Classes/Domain/Service/IpToCountry/LocalDatabase.php
@@ -44,9 +44,14 @@ protected function getCountryCodeFromIpInDatabase(string $ipAddress): string
     {
         $connection = DatabaseUtility::getConnectionForTable(self::TABLE_NAME);
         $sql = 'select countryCode from ' . self::TABLE_NAME
-            . ' where inet_aton("' . $ipAddress . '") >= inet_aton(ipRangeStart)' .
-            ' and inet_aton("' . $ipAddress . '") <= inet_aton(ipRangeEnd) limit 1';
+            . ' where inet_aton("' . $this->sanitizeIpAddress($ipAddress) . '") >= inet_aton(ipRangeStart)' .
+            ' and inet_aton("' . $this->sanitizeIpAddress($ipAddress) . '") <= inet_aton(ipRangeEnd) limit 1';
         $result = (string)$connection->query($sql)->fetchColumn(0);
         return strtolower($result);
     }
+
+    protected function sanitizeIpAddress(string $ipAddress): string
+    {
+        return preg_replace('~[^0-9\.]~', '', $ipAddress);
+    }
 }