Permalink
Browse files

Fix EZP-26405: SQL Injection in Search Component (ezsearchengine) (#105)

(cherry picked from commit 4005a9092178cc485868b1067a2101c59a80be4f)
  • Loading branch information...
1 parent aec3cac commit 6d926593fd5c00028b8d379c7273898b3055beed @glye glye committed Oct 20, 2016
Showing with 41 additions and 25 deletions.
  1. +41 −25 kernel/search/plugins/ezsearchengine/ezsearchengine.php
@@ -1399,16 +1399,17 @@ public function supportedSearchTypes()
function searchAttributeInteger( $searchParams )
{
- $classAttributeID = $searchParams['classattribute_id'];
- $value = $searchParams['value'];
+ $db = eZDB::instance();
+ $classAttributeID = $db->escapeString( $searchParams['classattribute_id'] );
+ $value = (int)$db->escapeString( $searchParams['value'] );
$classAttributeQuery = "";
if ( is_numeric( $classAttributeID ) and $classAttributeID > 0 )
{
$classAttributeQuery = "ezsearch_object_word_link.contentclass_attribute_id = '$classAttributeID' AND ";
}
- $searchPartSql = " ezsearch_object_word_link.integer_value = $value AND";
+ $searchPartSql = " ezsearch_object_word_link.integer_value = '$value' AND";
$searchPartText = $classAttributeQuery . $searchPartSql;
$tableResult = $this->createTemporaryTable( $searchPartText );
@@ -1425,17 +1426,22 @@ function searchAttributeInteger( $searchParams )
function searchAttributeIntegers( $searchParams )
{
- $classAttributeID = $searchParams['classattribute_id'];
- $values = $searchParams['values'];
+ $db = eZDB::instance();
+ $classAttributeID = $db->escapeString( $searchParams['classattribute_id'] );
+ $values = array();
+ foreach ( $searchParams['values'] as $value )
+ {
+ $values[] = (int)$db->escapeString( $value );
+ }
$classAttributeQuery = "";
if ( is_numeric( $classAttributeID ) and $classAttributeID > 0 )
{
$classAttributeQuery = "ezsearch_object_word_link.contentclass_attribute_id = '$classAttributeID' AND ";
}
- $integerValuesSql = implode( ', ', $values );
- $searchPartSql = " ezsearch_object_word_link.integer_value IN ( $integerValuesSql ) AND";
+ $integerValuesSql = implode( "', '", $values );
+ $searchPartSql = " ezsearch_object_word_link.integer_value IN ( '$integerValuesSql' ) AND";
$searchPartText = $classAttributeQuery . $searchPartSql;
$tableResult = $this->createTemporaryTable( $searchPartText );
@@ -1452,17 +1458,18 @@ function searchAttributeIntegers( $searchParams )
function searchAttributeByRange( $searchParams )
{
- $classAttributeID = $searchParams['classattribute_id'];
- $fromValue = $searchParams['from'];
- $toValue = $searchParams['to'];
+ $db = eZDB::instance();
+ $classAttributeID = $db->escapeString( $searchParams['classattribute_id'] );
+ $fromValue = (int)$db->escapeString( $searchParams['from'] );
+ $toValue = (int)$db->escapeString( $searchParams['to'] );
$classAttributeQuery = "";
if ( is_numeric( $classAttributeID ) and $classAttributeID > 0 )
{
$classAttributeQuery = "ezsearch_object_word_link.contentclass_attribute_id = '$classAttributeID' AND ";
}
- $searchPartSql = " ezsearch_object_word_link.integer_value BETWEEN $fromValue AND $toValue AND";
+ $searchPartSql = " ezsearch_object_word_link.integer_value BETWEEN '$fromValue' AND '$toValue' AND";
$searchPartText = $classAttributeQuery . $searchPartSql;
$tableResult = $this->createTemporaryTable( $searchPartText );
@@ -1479,8 +1486,9 @@ function searchAttributeByRange( $searchParams )
function searchAttributeByIdentifier( $searchParams )
{
- $identifier = $searchParams['identifier'];
- $textValue = $searchParams['value'];
+ $db = eZDB::instance();
+ $identifier = $db->escapeString( $searchParams['identifier'] );
+ $textValue = $db->escapeString( $searchParams['value'] );
$searchText = $this->normalizeText( $textValue, false );
@@ -1511,11 +1519,12 @@ function searchAttributeByIdentifier( $searchParams )
function searchAttributeByIdentifierRange( $searchParams )
{
- $identifier = $searchParams['identifier'];
- $fromValue = $searchParams['from'];
- $toValue = $searchParams['to'];
+ $db = eZDB::instance();
+ $identifier = $db->escapeString( $searchParams['identifier'] );
+ $fromValue = (int)$db->escapeString( $searchParams['from'] );
+ $toValue = (int)$db->escapeString( $searchParams['to'] );
- $searchPartSql = " ezsearch_object_word_link.integer_value BETWEEN $fromValue AND $toValue AND ezsearch_object_word_link.identifier = '$identifier' AND";
+ $searchPartSql = " ezsearch_object_word_link.integer_value BETWEEN '$fromValue' AND '$toValue' AND ezsearch_object_word_link.identifier = '$identifier' AND";
$tableResult = $this->createTemporaryTable( $searchPartSql );
if ( $tableResult === false )
@@ -1530,11 +1539,16 @@ function searchAttributeByIdentifierRange( $searchParams )
function searchAttributeIntegersByIdentifier( $searchParams )
{
- $identifier = $searchParams['identifier'];
- $values = $searchParams['values'];
+ $db = eZDB::instance();
+ $identifier = $db->escapeString( $searchParams['identifier'] );
+ $values = array();
+ foreach ( $searchParams['values'] as $value )
+ {
+ $values[] = (int)$db->escapeString( $value );
+ }
- $integerValuesSql = implode( ', ', $values );
- $searchPartSql = " ezsearch_object_word_link.integer_value IN ( $integerValuesSql ) AND ezsearch_object_word_link.identifier = '$identifier' AND";
+ $integerValuesSql = implode( "', '", $values );
+ $searchPartSql = " ezsearch_object_word_link.integer_value IN ( '$integerValuesSql' ) AND ezsearch_object_word_link.identifier = '$identifier' AND";
$tableResult = $this->createTemporaryTable( $searchPartSql );
if ( $tableResult === false )
@@ -1549,8 +1563,9 @@ function searchAttributeIntegersByIdentifier( $searchParams )
function searchAttributePatternText( $searchParams )
{
- $classAttributeID = $searchParams['classattribute_id'];
- $textValue = $searchParams['value'];
+ $db = eZDB::instance();
+ $classAttributeID = $db->escapeString( $searchParams['classattribute_id'] );
+ $textValue = $db->escapeString( $searchParams['value'] );
// $searchText = $this->normalizeText( $textValue );
$searchText = $textValue;
@@ -1603,8 +1618,9 @@ function searchAttributePatternText( $searchParams )
function searchAttributeFulltext( $searchParams )
{
- $classAttributeID = $searchParams['classattribute_id'];
- $textValue = $searchParams['value'];
+ $db = eZDB::instance();
+ $classAttributeID = $db->escapeString( $searchParams['classattribute_id'] );
+ $textValue = $db->escapeString( $searchParams['value'] );
$searchText = $this->normalizeText( $textValue, false );

2 comments on commit 6d92659

@pkamps
Contributor
pkamps commented on 6d92659 Jan 14, 2017

The patched code here is fairly dead. In recent ezp versions, nothing seems to trigger the code. An alternative approach would be to just remove the entire code section. Compare:
mugoweb#27

@glye
Member
glye commented on 6d92659 Jan 16, 2017

@pkamps Hi! This code may be "pining for the fjords" but it's not quite dead yet. The fix is reproducible on recent versions. Given the nature of the bug I don't want to detail how it's tested. Your alternative approach of removing code is of course good for those who don't need the features, but it's not something we can easily do on the eZ end of things :)
Cheers

Please sign in to comment.