Skip to content
Permalink
Browse files Browse the repository at this point in the history
Uses escapeshellcmd() and do not allow LOAD_FILE inside queries
  • Loading branch information
lesterchan committed Oct 16, 2014
1 parent f30d92c commit 7037fa8
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 24 deletions.
6 changes: 4 additions & 2 deletions README.md
Expand Up @@ -34,8 +34,10 @@ Allows you to optimize database, repair database, backup database, restore datab

## Changelog
### Version 2.72
* FIXED: Use dbmanager_is_valid_path() to check for mysql and mysqldump path. Fixes arbitrary command injection using backup path. Props Larry W. Cashdollari.
* FIXED: Use realpath() to check for backup path. Fixes arbitrary command injection using backup path. Props Larry W. Cashdollari.
* FIXED: Uses escapeshellcmd() to escape shell commands
* FIXED: Do not allow LOAD_FILE to be run
* FIXED: Uses dbmanager_is_valid_path() to check for mysql and mysqldump path. Fixes arbitrary command injection using backup path. Props Larry W. Cashdollari.
* FIXED: Uses realpath() to check for backup path. Fixes arbitrary command injection using backup path. Props Larry W. Cashdollari.

### Version 2.71
* NEW: Bump to 4.0
Expand Down
4 changes: 2 additions & 2 deletions database-backup.php
Expand Up @@ -42,11 +42,11 @@
if($gzip == 1) {
$backup['filename'] = $backup['date'].'_-_'.DB_NAME.'.sql.gz';
$backup['filepath'] = $backup['path'].'/'.$backup['filename'];
$backup['command'] = $brace.$backup['mysqldumppath'].$brace.' --force --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].$backup['charset'].' --add-drop-table --skip-lock-tables '.DB_NAME.' | gzip > '.$brace.$backup['filepath'].$brace;
$backup['command'] = escapeshellcmd( $brace.$backup['mysqldumppath'].$brace.' --force --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].$backup['charset'].' --add-drop-table --skip-lock-tables '.DB_NAME ).' | gzip > '.escapeshellcmd( $brace.$backup['filepath'].$brace );
} else {
$backup['filename'] = $backup['date'].'_-_'.DB_NAME.'.sql';
$backup['filepath'] = $backup['path'].'/'.$backup['filename'];
$backup['command'] = $brace.$backup['mysqldumppath'].$brace.' --force --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].$backup['charset'].' --add-drop-table --skip-lock-tables '.DB_NAME.' > '.$brace.$backup['filepath'].$brace;
$backup['command'] = escapeshellcmd( $brace.$backup['mysqldumppath'].$brace.' --force --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].$backup['charset'].' --add-drop-table --skip-lock-tables '.DB_NAME ).' > '.escapeshellcmd( $brace.$backup['filepath'].$brace );
}
$error = execute_backup($backup['command']);
if(!is_writable($backup['path'])) {
Expand Down
4 changes: 2 additions & 2 deletions database-manage.php
Expand Up @@ -44,9 +44,9 @@
}
}
if(stristr($database_file, '.gz')) {
$backup['command'] = 'gunzip < '.$brace.$backup['path'].'/'.$database_file.$brace.' | '.$brace.$backup['mysqlpath'].$brace.' --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].$backup['charset'].' '.DB_NAME;
$backup['command'] = 'gunzip < '.escapeshellcmd( $brace.$backup['path'].'/'.$database_file.$brace ).' | '.escapeshellcmd( $brace.$backup['mysqlpath'].$brace.' --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].$backup['charset'].' '.DB_NAME );
} else {
$backup['command'] = $brace.$backup['mysqlpath'].$brace.' --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].$backup['charset'].' '.DB_NAME.' < '.$brace.$backup['path'].'/'.$database_file.$brace;
$backup['command'] = escapeshellcmd( $brace.$backup['mysqlpath'].$brace.' --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].$backup['charset'].' '.DB_NAME ).' < '.escapeshellcmd( $brace.$backup['path'].'/'.$database_file.$brace );
}
if( realpath( $backup['path'] ) === false ) {
$text = '<p style="color: red;">' . sprintf(__('%s is not a valid backup path', 'wp-dbmanager'), stripslashes( $backup['path'] ) ) . '</p>';
Expand Down
17 changes: 10 additions & 7 deletions database-run.php
Expand Up @@ -37,19 +37,22 @@
}
}
if($sql_queries) {
foreach($sql_queries as $sql_query) {
if (preg_match("/^\\s*(insert|update|replace|delete|create|alter) /i",$sql_query)) {
$run_query = $wpdb->query($sql_query);
if(!$run_query) {
foreach( $sql_queries as $sql_query ) {
if ( preg_match( "/LOAD_FILE/i", $sql_query ) ) {
$text .= "<p style=\"color: red;\">$sql_query</p>";
$totalquerycount++;
} elseif( preg_match( "/^\\s*(select|drop|show|grant) /i", $sql_query ) ) {
$text .= "<p style=\"color: red;\">$sql_query</p>";
$totalquerycount++;
} else if ( preg_match( "/^\\s*(insert|update|replace|delete|create|alter) /i", $sql_query ) ) {
$run_query = $wpdb->query( $sql_query );
if( ! $run_query ) {
$text .= "<p style=\"color: red;\">$sql_query</p>";
} else {
$successquery++;
$text .= "<p style=\"color: green;\">$sql_query</p>";
}
$totalquerycount++;
} elseif (preg_match("/^\\s*(select|drop|show|grant) /i",$sql_query)) {
$text .= "<p style=\"color: red;\">$sql_query</p>";
$totalquerycount++;
}
}
$text .= '<p style="color: blue;">'.number_format_i18n($successquery).'/'.number_format_i18n($totalquerycount).' '.__('Query(s) Executed Successfully', 'wp-dbmanager').'</p>';
Expand Down
21 changes: 10 additions & 11 deletions wp-dbmanager.php
Expand Up @@ -60,7 +60,6 @@ function dbmanager_menu() {
add_action('dbmanager_cron_optimize', 'cron_dbmanager_optimize');
add_action('dbmanager_cron_repair', 'cron_dbmanager_repair');
function cron_dbmanager_backup() {
global $wpdb;
$backup_options = get_option('dbmanager_options');
$backup_email = stripslashes($backup_options['backup_email']);
if(intval($backup_options['backup_period']) > 0) {
Expand All @@ -87,14 +86,14 @@ function cron_dbmanager_backup() {
if(intval($backup_options['backup_gzip']) == 1) {
$backup['filename'] = $backup['date'].'_-_'.DB_NAME.'.sql.gz';
$backup['filepath'] = $backup['path'].'/'.$backup['filename'];
$backup['command'] = $brace.$backup['mysqldumppath'].$brace.' --force --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].' --add-drop-table --skip-lock-tables '.DB_NAME.' | gzip > '.$brace.$backup['filepath'].$brace;
$backup['command'] = escapeshellcmd( $brace.$backup['mysqldumppath'].$brace.' --force --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].' --add-drop-table --skip-lock-tables '.DB_NAME ). ' | gzip > '.escapeshellcmd( $brace.$backup['filepath'].$brace );
} else {
$backup['filename'] = $backup['date'].'_-_'.DB_NAME.'.sql';
$backup['filepath'] = $backup['path'].'/'.$backup['filename'];
$backup['command'] = $brace.$backup['mysqldumppath'].$brace.' --force --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].' --add-drop-table --skip-lock-tables '.DB_NAME.' > '.$brace.$backup['filepath'].$brace;
$backup['command'] = escapeshellcmd( $brace.$backup['mysqldumppath'].$brace.' --force --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].' --add-drop-table --skip-lock-tables '.DB_NAME ). ' > '.escapeshellcmd( $brace.$backup['filepath'].$brace );
}
execute_backup($backup['command']);
if( !empty( $backup_email ) )
if( ! empty( $backup_email ) )
{
dbmanager_email_backup( $backup_email, $backup['filepath'] );
}
Expand Down Expand Up @@ -217,16 +216,16 @@ function execute_backup($command) {
return sprintf( __( '%s is not a valid mysql path', 'wp-dbmanager' ), stripslashes( $backup_options['mysqlpath'] ) );
}

if(substr(PHP_OS, 0, 3) == 'WIN') {
if( substr( PHP_OS, 0, 3 ) === 'WIN' ) {
$writable_dir = $backup_options['path'];
$tmpnam = $writable_dir.'/wp-dbmanager.bat';
$fp = fopen($tmpnam, 'w');
fwrite($fp, $command);
fclose($fp);
system($tmpnam.' > NUL', $error);
unlink($tmpnam);
$fp = fopen( $tmpnam, 'w' );
fwrite ($fp, $command );
fclose( $fp );
system( $tmpnam.' > NUL', $error );
unlink( $tmpnam );
} else {
passthru($command, $error);
passthru( $command, $error );
}
return $error;
}
Expand Down

0 comments on commit 7037fa8

Please sign in to comment.