Skip to content

Commit

Permalink
Fix EZP-26405: SQL Injection in Search Component (ezsearchengine)
Browse files Browse the repository at this point in the history 
Follow-up to 6d92659 which was incomplete.

(cherry picked from commit 3e549c815d7c35347567824e1a39890ed4bc919f)
(cherry picked from commit b080ebb58f80b9cffb803464f36db261d8c4d9ec)
(cherry picked from commit 4a7824949ecbb0fa70b15b22811f9f84af19ea0a)
  • Loading branch information
@glye
glye committed Mar 7, 2017
1 parent 863c3e4 commit 874d7c0
Showing 1 changed file with 13 additions and 13 deletions.
26 changes: 13 additions & 13 deletions kernel/search/plugins/ezsearchengine/ezsearchengine.php
View file
Expand Up @@ -587,12 +587,12 @@ public function search( $searchText, $params = array(), $searchTypes = array() )
$sectionQuery = '';
if ( is_numeric( $searchSectionID ) and $searchSectionID > 0 )
{
$sectionQuery = "ezsearch_object_word_link.section_id = '$searchSectionID' AND ";
$sectionQuery = "ezsearch_object_word_link.section_id = '" . (int)$searchSectionID . "' AND ";
}
else if ( is_array( $searchSectionID ) )
{
// Build query for searching in an array of sections
$sectionQuery = $db->generateSQLINStatement( $searchSectionID, 'ezsearch_object_word_link.section_id', false, false, 'int' ) . " AND ";
$sectionQuery = $db->generateSQLINStatement( array_map( 'intval', $searchSectionID ), 'ezsearch_object_word_link.section_id', false, false, 'int' ) . " AND ";
}

$searchDateQuery = '';
Expand Down Expand Up @@ -660,13 +660,13 @@ public function search( $searchText, $params = array(), $searchTypes = array() )
if ( is_numeric( $searchContentClassID ) and $searchContentClassID > 0 )
{
// Build query for searching in one class
$classQuery = "ezsearch_object_word_link.contentclass_id = '$searchContentClassID' AND ";
$classQuery = "ezsearch_object_word_link.contentclass_id = '" . (int)$searchContentClassID . "' AND ";
$this->GeneralFilter['classAttributeQuery'] = $classQuery;
}
else if ( is_array( $searchContentClassID ) )
{
// Build query for searching in a number of classes
$classString = $db->generateSQLINStatement( $searchContentClassID, 'ezsearch_object_word_link.contentclass_id', false, false, 'int' );
$classString = $db->generateSQLINStatement( array_map( 'intval', $searchContentClassID ), 'ezsearch_object_word_link.contentclass_id', false, false, 'int' );
$classQuery = "$classString AND ";
$this->GeneralFilter['classAttributeQuery'] = $classQuery;
}
Expand All @@ -679,7 +679,7 @@ public function search( $searchText, $params = array(), $searchTypes = array() )
else if ( is_array( $searchContentClassAttributeID ) )
{
// Build query for searching in a number of attributes
$classAttributeQuery = $db->generateSQLINStatement( $searchContentClassAttributeID , 'ezsearch_object_word_link.contentclass_attribute_id', false, false, 'int' ) . ' AND ';
$classAttributeQuery = $db->generateSQLINStatement( array_map( 'intval', $searchContentClassAttributeID ), 'ezsearch_object_word_link.contentclass_attribute_id', false, false, 'int' ) . ' AND ';
}

// Get the total number of objects
Expand Down Expand Up @@ -1488,7 +1488,7 @@ function searchAttributeByIdentifier( $searchParams )
{
$db = eZDB::instance();
$identifier = $db->escapeString( $searchParams['identifier'] );
$textValue = $db->escapeString( $searchParams['value'] );
$textValue = $searchParams['value'];

$searchText = $this->normalizeText( $textValue, false );

Expand Down Expand Up @@ -1565,7 +1565,7 @@ function searchAttributePatternText( $searchParams )
{
$db = eZDB::instance();
$classAttributeID = $db->escapeString( $searchParams['classattribute_id'] );
$textValue = $db->escapeString( $searchParams['value'] );
$textValue = $searchParams['value'];

// $searchText = $this->normalizeText( $textValue );
$searchText = $textValue;
Expand Down Expand Up @@ -1620,7 +1620,7 @@ function searchAttributeFulltext( $searchParams )
{
$db = eZDB::instance();
$classAttributeID = $db->escapeString( $searchParams['classattribute_id'] );
$textValue = $db->escapeString( $searchParams['value'] );
$textValue = $searchParams['value'];

$searchText = $this->normalizeText( $textValue, false );

Expand Down Expand Up @@ -2029,7 +2029,7 @@ function prepareWordIDArraysForPattern( $searchText )
{
if ( $wordsCount > 0 )
$wordQueryString .= " or ";
$wordQueryString .= " word='$searchWord' ";
$wordQueryString .= " word='" . $db->escapeString( $searchWord ) . "' ";
$wordsCount++;
}
}
Expand All @@ -2051,7 +2051,7 @@ function prepareWordIDArraysForPattern( $searchText )
$patternWordIDHash = array();
foreach ( $patternWordArray as $word )
{
$patternWordIDRes = $db->arrayQuery( "SELECT id, word, object_count FROM ezsearch_word where word like '" . $word . "%' order by object_count" );
$patternWordIDRes = $db->arrayQuery( "SELECT id, word, object_count FROM ezsearch_word where word like '" . $db->escapeString( $word ) . "%' order by object_count" );
$matchedWords = array();
foreach ( $patternWordIDRes as $wordRes )
{
Expand Down Expand Up @@ -2111,20 +2111,20 @@ function prepareWordIDArrays( $searchText )
if ( $searchWord[$wordLength] == '*' )
{
$baseWord = substr( $searchWord, 0, $wordLength );
$wildCardQueryString[] = " word LIKE '". $baseWord ."%' ";
$wildCardQueryString[] = " word LIKE '". $db->escapeString( $baseWord ) ."%' ";
continue;
}
else if ( $searchWord[0] == '*' ) /* Change this to allow searching for shorter/longer words using wildcard */
{
$baseWord = substr( $searchWord, 1, $wordLength );
$wildCardQueryString[] = " word LIKE '%". $baseWord ."' ";
$wildCardQueryString[] = " word LIKE '%". $db->escapeString( $baseWord ) ."' ";
continue;
}
}
if ( $i > 0 )
$wordQueryString .= " or ";

$wordQueryString .= " word='$searchWord' ";
$wordQueryString .= " word='" . $db->escapeString( $searchWord ) . "' ";
$i++;
}

Expand Down

0 comments on commit 874d7c0

Please sign in to comment.