Skip to content

Commit

Permalink
security: SQL Injection
Browse files Browse the repository at this point in the history 
This mitigates a possible SQL injection vulnerability reported by
Bittylicious.
  • Loading branch information
@protich @JediKev
protich authored and JediKev committed Oct 7, 2021
1 parent e90d3be commit e282910
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 12 deletions.
8 changes: 4 additions & 4 deletions include/class.staff.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -862,11 +862,11 @@ static function lookup($var) {
if (is_array($var))
return parent::lookup($var);
elseif (is_numeric($var))
return parent::lookup(array('staff_id'=>$var));
return parent::lookup(array('staff_id' => (int) $var));
elseif (Validator::is_email($var))
return parent::lookup(array('email'=>$var));
elseif (is_string($var))
return parent::lookup(array('username'=>$var));
return parent::lookup(array('email' => $var));
elseif (is_string($var) && Validator::is_username($var))
return parent::lookup(array('username' => (string) $var));
else
return null;
}
Expand Down
8 changes: 4 additions & 4 deletions include/class.user.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1341,10 +1341,10 @@ static function createForUser($user, $defaults=false) {
}

static function lookupByUsername($username) {
if (strpos($username, '@') !== false)
$user = static::lookup(array('user__emails__address'=>$username));
else
$user = static::lookup(array('username'=>$username));
if (Validator::is_email($username))
$user = static::lookup(array('user__emails__address' => $username));
elseif (Validator::is_userid($username))
$user = static::lookup(array('username' => $username));

return $user;
}
Expand Down
9 changes: 8 additions & 1 deletion include/class.validator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,11 +220,18 @@ static function is_ip($ip, &$error='') {
static function is_username($username, &$error='') {
if (strlen($username)<2)
$error = __('Username must have at least two (2) characters');
elseif (!preg_match('/^[\p{L}\d._-]+$/u', $username))
elseif (is_numeric($username) || !preg_match('/^[\p{L}\d._-]+$/u', $username))
$error = __('Username contains invalid characters');
return $error == '';
}

static function is_userid($userid, &$error='') {
if (!self::is_username($userid)
&& !self::is_email($userid))
$error = __('Invalid User Id ');
return $error == '';
}

static function is_formula($text, &$error='') {
if (!preg_match('/^[^=\+@-].*$/s', $text))
$error = __('Content cannot start with the following characters: = - + @');
Expand Down
4 changes: 3 additions & 1 deletion pwreset.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@
}
switch ($_POST['do']) {
case 'sendmail':
if (($acct=ClientAccount::lookupByUsername($_POST['userid']))) {
$userid = (string) $_POST['userid'];
if (Validator::is_userid($userid)
&& ($acct=ClientAccount::lookupByUsername($userid))) {
if (!$acct->isPasswdResetEnabled()) {
$banner = __('Password reset is not enabled for your account. Contact your administrator');
}
Expand Down
7 changes: 5 additions & 2 deletions scp/pwreset.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,9 @@
}
switch ($_POST['do']) {
case 'sendmail':
if (($staff=Staff::lookup($_POST['userid']))) {
$userid = (string) $_POST['userid'];
if (Validator::is_userid($userid)
&& ($staff=Staff::lookup($userid))) {
if (!$staff->hasPassword()) {
if ($staff->sendResetEmail('registration-staff', false) !== false)
$msg = __('Registration email sent successfully.');
Expand Down Expand Up @@ -72,7 +74,8 @@
$msg = __('Please enter your username or email');
$_config = new Config('pwreset');
if (($id = $_config->get($_GET['token']))
&& ($staff = Staff::lookup($id)))
&& is_numeric($id)
&& ($staff = Staff::lookup( (int) $id)))
// TODO: Detect staff confirmation (for welcome email)
$tpl = 'pwreset.login.php';
else
Expand Down

0 comments on commit e282910

Please sign in to comment.