Skip to content
Permalink
Browse files Browse the repository at this point in the history
Bugfix: SQL injection in custom field enum/set types
Reported by Peng Zhou @zpbrent
  • Loading branch information
GaryAllan committed Mar 5, 2023
1 parent 470a175 commit 16e7a94
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 1 deletion.
3 changes: 2 additions & 1 deletion functions/classes/class.Admin.php
Expand Up @@ -673,7 +673,7 @@ public function update_custom_field_definition ($field) {

# set type definition and size of needed
if($field['fieldType']=="bool" || $field['fieldType']=="text" || $field['fieldType']=="date" || $field['fieldType']=="datetime") { $field['ftype'] = $field['fieldType']; }
else { $field['ftype'] = $field['fieldType']."(".$field['fieldSize'].")"; }
else { $field['ftype'] = $field['fieldType']."( :enumset )"; }

# default value null
$field['fieldDefault'] = is_blank($field['fieldDefault']) ? NULL : $field['fieldDefault'];
Expand Down Expand Up @@ -709,6 +709,7 @@ public function update_custom_field_definition ($field) {
$params = array();
if (strpos($query, ":default")>0) $params['default'] = $field['fieldDefault'];
if (strpos($query, ":comment")>0) $params['comment'] = $field['Comment'];
if (strpos($query, ":enumset")>0) $params['enumset'] = $field['fieldSize'];

# execute
try { $res = $this->Database->runQuery($query, $params); }
Expand Down
1 change: 1 addition & 0 deletions misc/CHANGELOG
Expand Up @@ -7,6 +7,7 @@

Security Fixes:
----------------------------
+ SQL injection in custom field enum/set types;
+ XSS (reflected) in 'bw-calulator-result.php';
+ XSS (reflected) by invalid email address response;
+ XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);
Expand Down

0 comments on commit 16e7a94

Please sign in to comment.