From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/lib/Roundcube/rcube_db.php | 115 +++++++++++++++++++++++++++++++++++++++++++++++----------
1 files changed, 94 insertions(+), 21 deletions(-)
diff --git a/program/lib/Roundcube/rcube_db.php b/program/lib/Roundcube/rcube_db.php
index 72cad01..ba3acf6 100644
--- a/program/lib/Roundcube/rcube_db.php
+++ b/program/lib/Roundcube/rcube_db.php
@@ -70,6 +70,7 @@
'dblib' => 'mssql',
'mysqli' => 'mysql',
'oci' => 'oracle',
+ 'oci8' => 'oracle',
);
$driver = isset($driver_map[$driver]) ? $driver_map[$driver] : $driver;
@@ -147,10 +148,6 @@
// Get database specific connection options
$dsn_string = $this->dsn_string($dsn);
$dsn_options = $this->dsn_options($dsn);
-
- if ($this->db_pconn) {
- $dsn_options[PDO::ATTR_PERSISTENT] = true;
- }
// Connect
try {
@@ -356,7 +353,7 @@
public function get_variable($varname, $default = null)
{
// to be implemented by driver class
- return $default;
+ return rcube::get_instance()->config->get('db_' . $varname, $default);
}
/**
@@ -447,9 +444,14 @@
}
}
- // replace escaped '?' back to normal, see self::quote()
- $query = str_replace('??', '?', $query);
$query = rtrim($query, " \t\n\r\0\x0B;");
+
+ // replace escaped '?' and quotes back to normal, see self::quote()
+ $query = str_replace(
+ array('??', self::DEFAULT_QUOTE.self::DEFAULT_QUOTE),
+ array('?', self::DEFAULT_QUOTE),
+ $query
+ );
// log query
$this->debug($query);
@@ -515,9 +517,6 @@
}
}
- // replace escaped quote back to normal, see self::quote()
- $query = str_replace($quote.$quote, $quote, $query);
-
return $query;
}
@@ -555,7 +554,9 @@
public function affected_rows($result = null)
{
if ($result || ($result === null && ($result = $this->last_result))) {
- return $result->rowCount();
+ if ($result !== true) {
+ return $result->rowCount();
+ }
}
return 0;
@@ -571,7 +572,7 @@
*/
public function num_rows($result = null)
{
- if ($result || ($result === null && ($result = $this->last_result))) {
+ if (($result || ($result === null && ($result = $this->last_result))) && $result !== true) {
// repeat query with SELECT COUNT(*) ...
if (preg_match('/^SELECT\s+(?:ALL\s+|DISTINCT\s+)?(?:.*?)\s+FROM\s+(.*)$/ims', $result->queryString, $m)) {
$query = $this->dbh->query('SELECT COUNT(*) FROM ' . $m[1], PDO::FETCH_NUM);
@@ -647,7 +648,9 @@
protected function _fetch_row($result, $mode)
{
if ($result || ($result === null && ($result = $this->last_result))) {
- return $result->fetch($mode);
+ if ($result !== true) {
+ return $result->fetch($mode);
+ }
}
return false;
@@ -684,14 +687,11 @@
{
// get tables if not cached
if ($this->tables === null) {
- $q = $this->query('SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES ORDER BY TABLE_NAME');
+ $q = $this->query("SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES"
+ . " WHERE TABLE_TYPE = 'BASE TABLE'"
+ . " ORDER BY TABLE_NAME");
- if ($q) {
- $this->tables = $q->fetchAll(PDO::FETCH_COLUMN, 0);
- }
- else {
- $this->tables = array();
- }
+ $this->tables = $q ? $q->fetchAll(PDO::FETCH_COLUMN, 0) : array();
}
return $this->tables;
@@ -714,6 +714,63 @@
}
return array();
+ }
+
+ /**
+ * Start transaction
+ *
+ * @return bool True on success, False on failure
+ */
+ public function startTransaction()
+ {
+ $this->db_connect('w', true);
+
+ // check connection before proceeding
+ if (!$this->is_connected()) {
+ return $this->last_result = false;
+ }
+
+ $this->debug('BEGIN TRANSACTION');
+
+ return $this->last_result = $this->dbh->beginTransaction();
+ }
+
+ /**
+ * Commit transaction
+ *
+ * @return bool True on success, False on failure
+ */
+ public function endTransaction()
+ {
+ $this->db_connect('w', true);
+
+ // check connection before proceeding
+ if (!$this->is_connected()) {
+ return $this->last_result = false;
+ }
+
+ $this->debug('COMMIT TRANSACTION');
+
+ return $this->last_result = $this->dbh->commit();
+ }
+
+ /**
+ * Rollback transaction
+ *
+ * @return bool True on success, False on failure
+ */
+ public function rollbackTransaction()
+ {
+ $this->db_connect('w', true);
+
+ // check connection before proceeding
+ if (!$this->is_connected()) {
+ return $this->last_result = false;
+ }
+
+ $this->debug('ROLLBACK TRANSACTION');
+
+ return $this->last_result = $this->dbh->rollBack();
}
/**
@@ -1001,6 +1058,10 @@
*/
public function table_name($table, $quoted = false)
{
+ // let plugins alter the table name (#1489837)
+ $plugin = rcube::get_instance()->plugins->exec_hook('db_table_name', array('table' => $table));
+ $table = $plugin['table'];
+
// add prefix to the table name if configured
if (($prefix = $this->options['table_prefix']) && strpos($table, $prefix) !== 0) {
$table = $prefix . $table;
@@ -1122,7 +1183,7 @@
}
// process the different protocol options
- $parsed['protocol'] = (!empty($proto)) ? $proto : 'tcp';
+ $parsed['protocol'] = $proto ?: 'tcp';
$proto_opts = rawurldecode($proto_opts);
if (strpos($proto_opts, ':') !== false) {
list($proto_opts, $parsed['port']) = explode(':', $proto_opts);
@@ -1206,6 +1267,18 @@
{
$result = array();
+ if ($this->db_pconn) {
+ $result[PDO::ATTR_PERSISTENT] = true;
+ }
+
+ if (!empty($dsn['prefetch'])) {
+ $result[PDO::ATTR_PREFETCH] = (int) $dsn['prefetch'];
+ }
+
+ if (!empty($dsn['timeout'])) {
+ $result[PDO::ATTR_TIMEOUT] = (int) $dsn['timeout'];
+ }
+
return $result;
}
--
Gitblit v1.9.1