Skip to content

Commit dedd542

Browse files
nijelMarc Delisle
authored and
Marc Delisle
committed
Dropped unsafe usage of preg_replace
It could be tricked by apending /e\x00 to execute arbitrary php code. The new code does simple string replace, we don't really need any of regex stuff here.
1 parent 8dbce7e commit dedd542

File tree

1 file changed

+11
-2
lines changed

1 file changed

+11
-2
lines changed

Diff for: libraries/mult_submits.inc.php

+11-2
Original file line numberDiff line numberDiff line change
@@ -425,14 +425,23 @@
425425

426426
case 'replace_prefix_tbl':
427427
$current = $selected[$i];
428-
$newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
428+
if (substr($current, 0, strlen($from_prefix)) == $from_prefix) {
429+
$newtablename = $to_prefix . substr($current, strlen($from_prefix));
430+
} else {
431+
$newtablename = $current;
432+
}
429433
$a_query = 'ALTER TABLE ' . PMA_backquote($selected[$i]) . ' RENAME ' . PMA_backquote($newtablename) ; // CHANGE PREFIX PATTERN
430434
$run_parts = true;
431435
break;
432436

433437
case 'copy_tbl_change_prefix':
434438
$current = $selected[$i];
435-
$newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
439+
if (substr($current, 0, strlen($from_prefix)) == $from_prefix) {
440+
$newtablename = $to_prefix . substr($current, strlen($from_prefix));
441+
} else {
442+
$newtablename = $current;
443+
}
444+
$newtablename = $to_prefix . substr($current, strlen($from_prefix));
436445
$a_query = 'CREATE TABLE ' . PMA_backquote($newtablename) . ' SELECT * FROM ' . PMA_backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX PATTERN
437446
$run_parts = true;
438447
break;

0 commit comments

Comments
 (0)