From fef7c325357b2fbaccba7f2fd9bc4ed979ba6156 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Mon, 21 Mar 2011 16:12:37 +1300
Subject: [PATCH] BUGFIX Fixed SQL injection in Folder::findOrMake() 
 parameter. Exploitable through Upload::, although unlikely to be set via user
 input.

---
 filesystem/Folder.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/filesystem/Folder.php b/filesystem/Folder.php
index 9f4b328c722..04695586e3a 100755
--- a/filesystem/Folder.php
+++ b/filesystem/Folder.php
@@ -42,7 +42,14 @@ static function findOrMake($folderPath) {
 		$item = null;
 		foreach($parts as $part) {
 			if(!$part) continue; // happens for paths with a trailing slash
-			$item = DataObject::get_one("Folder", "\"Name\" = '$part' AND \"ParentID\" = $parentID");
+			$item = DataObject::get_one(
+				"Folder", 
+				sprintf(
+					"\"Name\" = '%s' AND \"ParentID\" = %d",
+					Convert::raw2sql($part), 
+					(int)$parentID
+				)
+			);
 			if(!$item) {
 				$item = new Folder();
 				$item->ParentID = $parentID;