Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

BUGFIX Fixed SQL injection in Folder::findOrMake() parameter. Exploit…

…able through Upload::, although unlikely to be set via user input.
  • Loading branch information...
commit fef7c325357b2fbaccba7f2fd9bc4ed979ba6156 1 parent 551bc5d
@chillu chillu authored
Showing with 8 additions and 1 deletion.
  1. +8 −1 filesystem/Folder.php
View
9 filesystem/Folder.php
@@ -42,7 +42,14 @@ static function findOrMake($folderPath) {
$item = null;
foreach($parts as $part) {
if(!$part) continue; // happens for paths with a trailing slash
- $item = DataObject::get_one("Folder", "\"Name\" = '$part' AND \"ParentID\" = $parentID");
+ $item = DataObject::get_one(
+ "Folder",
+ sprintf(
+ "\"Name\" = '%s' AND \"ParentID\" = %d",
+ Convert::raw2sql($part),
+ (int)$parentID
+ )
+ );
if(!$item) {
$item = new Folder();
$item->ParentID = $parentID;
Please sign in to comment.
Something went wrong with that request. Please try again.