Skip to content
Permalink
Browse files Browse the repository at this point in the history
Dropped unsafe usage of preg_replace
It could be tricked by apending /e\x00 to execute arbitrary php code.
The new code does simple string replace, we don't really need any of
regex stuff here.
  • Loading branch information
nijel authored and lem9 committed Apr 24, 2013
1 parent 8dbce7e commit dedd542
Showing 1 changed file with 11 additions and 2 deletions.
13 changes: 11 additions & 2 deletions libraries/mult_submits.inc.php
Expand Up @@ -425,14 +425,23 @@

case 'replace_prefix_tbl':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
if (substr($current, 0, strlen($from_prefix)) == $from_prefix) {
$newtablename = $to_prefix . substr($current, strlen($from_prefix));
} else {
$newtablename = $current;
}
$a_query = 'ALTER TABLE ' . PMA_backquote($selected[$i]) . ' RENAME ' . PMA_backquote($newtablename) ; // CHANGE PREFIX PATTERN
$run_parts = true;
break;

case 'copy_tbl_change_prefix':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
if (substr($current, 0, strlen($from_prefix)) == $from_prefix) {
$newtablename = $to_prefix . substr($current, strlen($from_prefix));
} else {
$newtablename = $current;
}
$newtablename = $to_prefix . substr($current, strlen($from_prefix));
$a_query = 'CREATE TABLE ' . PMA_backquote($newtablename) . ' SELECT * FROM ' . PMA_backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX PATTERN
$run_parts = true;
break;
Expand Down

0 comments on commit dedd542

Please sign in to comment.