diff options
| author | alec <alec@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2010-10-07 07:07:14 +0000 |
|---|---|---|
| committer | alec <alec@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2010-10-07 07:07:14 +0000 |
| commit | aa1cc39566e4737963083587ac0b262a1a08c11c (patch) | |
| tree | 88d454dbfba46cff29c80dc1ea97e1f9cace2dc4 /plugins/password/drivers/sql.php | |
| parent | 5136a73296c05235f9b6dbb1b2f30f8be4a73b74 (diff) | |
- Fixed SQL Injection in SQL driver when using %p or %o variables in query (#1487034)
git-svn-id: https://svn.roundcube.net/trunk@4058 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'plugins/password/drivers/sql.php')
| -rw-r--r-- | plugins/password/drivers/sql.php | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index 8677f231c..31686c76f 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -105,15 +105,28 @@ function password_save($curpass, $passwd) $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); } + // Handle clear text passwords securely (#1487034) + $sql_vars = array(); + if (preg_match_all('/%[p|o]/', $sql, $m)) { + foreach ($m[0] as $var) { + if ($var == '%p') { + $sql = preg_replace('/%p/', '?', $sql, 1); + $sql_vars[] = (string) $passwd; + } + else { // %o + $sql = preg_replace('/%o/', '?', $sql, 1); + $sql_vars[] = (string) $curpass; + } + } + } + // at least we should always have the local part $sql = str_replace('%l', $db->quote($rcmail->user->get_username('local'), 'text'), $sql); $sql = str_replace('%d', $db->quote($rcmail->user->get_username('domain'), 'text'), $sql); $sql = str_replace('%u', $db->quote($_SESSION['username'],'text'), $sql); $sql = str_replace('%h', $db->quote($_SESSION['imap_host'],'text'), $sql); - $sql = str_replace('%p', $db->quote($passwd,'text'), $sql); - $sql = str_replace('%o', $db->quote($curpass,'text'), $sql); - $res = $db->query($sql); + $res = $db->query($sql, $sql_vars); if (!$db->is_error()) { if (strtolower(substr(trim($query),0,6))=='select') { |