diff options
| author | alec <alec@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2010-10-07 07:07:14 +0000 |
|---|---|---|
| committer | alec <alec@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2010-10-07 07:07:14 +0000 |
| commit | aa1cc39566e4737963083587ac0b262a1a08c11c (patch) | |
| tree | 88d454dbfba46cff29c80dc1ea97e1f9cace2dc4 /plugins/password | |
| parent | 5136a73296c05235f9b6dbb1b2f30f8be4a73b74 (diff) | |
- Fixed SQL Injection in SQL driver when using %p or %o variables in query (#1487034)
git-svn-id: https://svn.roundcube.net/trunk@4058 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'plugins/password')
| -rw-r--r-- | plugins/password/drivers/sql.php | 19 | ||||
| -rw-r--r-- | plugins/password/package.xml | 20 |
2 files changed, 33 insertions, 6 deletions
diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index 8677f231c..31686c76f 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -105,15 +105,28 @@ function password_save($curpass, $passwd) $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); } + // Handle clear text passwords securely (#1487034) + $sql_vars = array(); + if (preg_match_all('/%[p|o]/', $sql, $m)) { + foreach ($m[0] as $var) { + if ($var == '%p') { + $sql = preg_replace('/%p/', '?', $sql, 1); + $sql_vars[] = (string) $passwd; + } + else { // %o + $sql = preg_replace('/%o/', '?', $sql, 1); + $sql_vars[] = (string) $curpass; + } + } + } + // at least we should always have the local part $sql = str_replace('%l', $db->quote($rcmail->user->get_username('local'), 'text'), $sql); $sql = str_replace('%d', $db->quote($rcmail->user->get_username('domain'), 'text'), $sql); $sql = str_replace('%u', $db->quote($_SESSION['username'],'text'), $sql); $sql = str_replace('%h', $db->quote($_SESSION['imap_host'],'text'), $sql); - $sql = str_replace('%p', $db->quote($passwd,'text'), $sql); - $sql = str_replace('%o', $db->quote($curpass,'text'), $sql); - $res = $db->query($sql); + $res = $db->query($sql, $sql_vars); if (!$db->is_error()) { if (strtolower(substr(trim($query),0,6))=='select') { diff --git a/plugins/password/package.xml b/plugins/password/package.xml index 1b754d9d3..38aa9c12a 100644 --- a/plugins/password/package.xml +++ b/plugins/password/package.xml @@ -15,10 +15,10 @@ <email>alec@alec.pl</email> <active>yes</active> </lead> - <date>2010-09-30</date> + <date>2010-10-07</date> <time>09:00:00</time> <version> - <release>1.9</release> + <release>2.0</release> <api>1.6</api> </version> <stability> @@ -27,7 +27,7 @@ </stability> <license uri="http://www.gnu.org/licenses/gpl-2.0.html">GNU GPLv2</license> <notes> -- Added password_ldap_lchattr option (#1486927) +- Fixed SQL Injection in SQL driver when using %p or %o variables in query (#1487034) </notes> <contents> <dir baseinstalldir="/" name="/"> @@ -186,5 +186,19 @@ - Added extended error messages in Poppassd driver (#1486704) </notes> </release> + <release> + <version> + <release>1.9</release> + <api>1.6</api> + </version> + <stability> + <release>stable</release> + <api>stable</api> + </stability> + <license uri="http://www.gnu.org/licenses/gpl-2.0.html">GNU GPLv2</license> + <notes> +- Added password_ldap_lchattr option (#1486927) + </notes> + </release> </changelog> </package> |