From 1f400c49b173e126d674b9917456239620976742 Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Fri, 11 May 2012 06:03:21 -0400
Subject: [PATCH] Fixed: FS#2221 - SQL Injection Vulnerability
---
interface/lib/classes/listform.inc.php | 10 ++++++----
1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/interface/lib/classes/listform.inc.php b/interface/lib/classes/listform.inc.php
index ee91b88..a450df6 100644
--- a/interface/lib/classes/listform.inc.php
+++ b/interface/lib/classes/listform.inc.php
@@ -126,7 +126,7 @@
public function getSearchSQL($sql_where = '')
{
- global $db;
+ global $app, $db;
//* Get config variable
$list_name = $this->listDef['name'];
@@ -151,9 +151,11 @@
}
//* Store field in session
- if(isset($_REQUEST[$search_prefix.$field])){
+ if(isset($_REQUEST[$search_prefix.$field]) && !stristr($_REQUEST[$search_prefix.$field],"'")){
$_SESSION['search'][$list_name][$search_prefix.$field] = $_REQUEST[$search_prefix.$field];
- }
+ if(preg_match("/['\\\\]/", $_SESSION['search'][$list_name][$search_prefix.$field]))
+ $_SESSION['search'][$list_name][$search_prefix.$field] = '';
+ }
if(isset($i['formtype']) && $i['formtype'] == 'SELECT'){
if(is_array($i['value'])) {
@@ -181,7 +183,7 @@
$field = $i['field'];
// if($_REQUEST[$search_prefix.$field] != '') $sql_where .= " $field ".$i["op"]." '".$i["prefix"].$_REQUEST[$search_prefix.$field].$i["suffix"]."' and";
if(isset($_SESSION['search'][$list_name][$search_prefix.$field]) && $_SESSION['search'][$list_name][$search_prefix.$field] != ''){
- $sql_where .= " $field ".$i['op']." '".$i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix']."' and";
+ $sql_where .= " $field ".$i['op']." '".$app->db->quote($i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix'])."' and";
}
}
}
--
Gitblit v1.9.1