Prevent null-byte injection in preg_replace()

libraries/Tracker.class.php

@@ -877,6 +877,9 @@ static public function handleQuery($query)
         if (empty($dbname)) {
             return;
         }
+        // Remove null bytes (preg_replace() is vulnerable in some
+        // PHP versions)
+        $dbname = str_replace("\0", "", $dbname);
 
         // If we found a valid statement
         if (isset($result['identifier'])) {