Merge #16004 - Fix #15898 - escape tbl_storage_engine argument

Pull-request: #16004 Fixes: #15898 Security: ca42395 Ref: #16004 Ref: #15898 For now I do not have a CVE code for this one. Signed-off-by: William Desportes <williamdes@wdes.fr>
phpmyadmin · Mar 19, 2020 · e1f5dfc · e1f5dfc
2 parents abcf875 + f6af795
commit e1f5dfc
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 2 deletions.
diff --git a/libraries/classes/CreateAddField.php b/libraries/classes/CreateAddField.php
@@ -467,7 +467,7 @@ public function getTableCreationQuery(string $db, string $table): string
         if (! empty($_POST['tbl_storage_engine'])
             && ($_POST['tbl_storage_engine'] != 'Default')
         ) {
-            $sqlQuery .= ' ENGINE = ' . $_POST['tbl_storage_engine'];
+            $sqlQuery .= ' ENGINE = ' . $this->dbi->escapeString($_POST['tbl_storage_engine']);
         }
         if (! empty($_POST['tbl_collation'])) {
             $sqlQuery .= Util::getCharsetQueryPart($_POST['tbl_collation']);

diff --git a/test/classes/CreateAddFieldTest.php b/test/classes/CreateAddFieldTest.php
@@ -114,6 +114,23 @@ public function providerGetTableCreationQuery()
                     'spatial_indexes' => '{}',
                 ],
             ],
+            [
+                'CREATE TABLE `db`.`table` () ENGINE = Inno\\\'DB CHARSET=armscii8 COMMENT = \'my \\\'table\';',
+                'db',
+                'table',
+                [
+                    'field_name' => [],
+                    'primary_indexes' => '{}',
+                    'indexes' => '{}',
+                    'unique_indexes' => '{}',
+                    'fulltext_indexes' => '{}',
+                    'spatial_indexes' => '{}',
+                    'tbl_storage_engine' => 'Inno\'DB',
+                    'tbl_collation' => 'armscii8',
+                    'connection' => 'aaaa',
+                    'comment' => 'my \'table',
+                ],
+            ],
         ];
     }
 

diff --git a/test/classes/Dbi/DbiDummyTest.php b/test/classes/Dbi/DbiDummyTest.php
@@ -147,5 +147,9 @@ public function testEscapeString(): void
             'a',
             $GLOBALS['dbi']->escapeString('a')
         );
+        $this->assertEquals(
+            'a\\\'',
+            $GLOBALS['dbi']->escapeString('a\'')
+        );
     }
 }
diff --git a/test/classes/Stubs/DbiDummy.php b/test/classes/Stubs/DbiDummy.php
@@ -434,7 +434,7 @@ public function fieldFlags($result, $i)
      */
     public function escapeString($link, $str)
     {
-        return $str;
+        return addslashes($str);
     }
 
     /**