Skip to content

Commit

Permalink
CVE-2017-14396
Browse files Browse the repository at this point in the history 
This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.
  • Loading branch information
@protich
protich committed Sep 14, 2017
1 parent d2ef3b1 commit 1eaa691
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion file.php
View file
Expand Up @@ -21,7 +21,7 @@
if (!$_GET['key']
|| !$_GET['signature']
|| !$_GET['expires']
|| !($file = AttachmentFile::lookup($_GET['key']))
|| !($file = AttachmentFile::lookupByHash($_GET['key']))
) {
Http::response(404, __('Unknown or invalid file'));
}
Expand Down
2 changes: 1 addition & 1 deletion include/class.orm.php
View file
Expand Up @@ -2601,7 +2601,7 @@ function($m) use ($self, $q) {
}

function quote($what) {
return "`$what`";
return sprintf("`%s`", str_replace("`", "``", $what));
}

/**
Expand Down

0 comments on commit 1eaa691

Please sign in to comment.