Permalink
Browse files

Dropped unsafe usage of preg_replace

It could be tricked by apending /e\x00 to execute arbitrary php code.
The new code does simple string replace, we don't really need any of
regex stuff here.
  • Loading branch information...
1 parent 8dbce7e commit dedd542cdaf1606ca9aa3f6f8f8adb078d8ad549 @nijel nijel committed with lem9 Apr 16, 2013
Showing with 11 additions and 2 deletions.
  1. +11 −2 libraries/mult_submits.inc.php
@@ -425,14 +425,23 @@
case 'replace_prefix_tbl':
$current = $selected[$i];
- $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
+ if (substr($current, 0, strlen($from_prefix)) == $from_prefix) {
+ $newtablename = $to_prefix . substr($current, strlen($from_prefix));
+ } else {
+ $newtablename = $current;
+ }
$a_query = 'ALTER TABLE ' . PMA_backquote($selected[$i]) . ' RENAME ' . PMA_backquote($newtablename) ; // CHANGE PREFIX PATTERN
$run_parts = true;
break;
case 'copy_tbl_change_prefix':
$current = $selected[$i];
- $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
+ if (substr($current, 0, strlen($from_prefix)) == $from_prefix) {
+ $newtablename = $to_prefix . substr($current, strlen($from_prefix));
+ } else {
+ $newtablename = $current;
+ }
+ $newtablename = $to_prefix . substr($current, strlen($from_prefix));
$a_query = 'CREATE TABLE ' . PMA_backquote($newtablename) . ' SELECT * FROM ' . PMA_backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX PATTERN
$run_parts = true;
break;

0 comments on commit dedd542

Please sign in to comment.