Permalink
Browse files

CVE-2017-14396

This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.
  • Loading branch information...
protich committed Sep 14, 2017
1 parent d2ef3b1 commit 1eaa69103a3fbed6cdfb58578e1a917724f7c147
Showing with 2 additions and 2 deletions.
  1. +1 −1 file.php
  2. +1 −1 include/class.orm.php
View
@@ -21,7 +21,7 @@
if (!$_GET['key']
|| !$_GET['signature']
|| !$_GET['expires']
|| !($file = AttachmentFile::lookup($_GET['key']))
|| !($file = AttachmentFile::lookupByHash($_GET['key']))
) {
Http::response(404, __('Unknown or invalid file'));
}
View
@@ -2601,7 +2601,7 @@ function($m) use ($self, $q) {
}
function quote($what) {
return "`$what`";
return sprintf("`%s`", str_replace("`", "``", $what));
}
/**

0 comments on commit 1eaa691

Please sign in to comment.