From aa1cc39566e4737963083587ac0b262a1a08c11c Mon Sep 17 00:00:00 2001 From: alec Date: Thu, 7 Oct 2010 07:07:14 +0000 Subject: - Fixed SQL Injection in SQL driver when using %p or %o variables in query (#1487034) git-svn-id: https://svn.roundcube.net/trunk@4058 208e9e7b-5314-0410-a742-e7e81cd9613c --- plugins/password/drivers/sql.php | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'plugins/password/drivers/sql.php') diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index 8677f231c..31686c76f 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -105,15 +105,28 @@ function password_save($curpass, $passwd) $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); } + // Handle clear text passwords securely (#1487034) + $sql_vars = array(); + if (preg_match_all('/%[p|o]/', $sql, $m)) { + foreach ($m[0] as $var) { + if ($var == '%p') { + $sql = preg_replace('/%p/', '?', $sql, 1); + $sql_vars[] = (string) $passwd; + } + else { // %o + $sql = preg_replace('/%o/', '?', $sql, 1); + $sql_vars[] = (string) $curpass; + } + } + } + // at least we should always have the local part $sql = str_replace('%l', $db->quote($rcmail->user->get_username('local'), 'text'), $sql); $sql = str_replace('%d', $db->quote($rcmail->user->get_username('domain'), 'text'), $sql); $sql = str_replace('%u', $db->quote($_SESSION['username'],'text'), $sql); $sql = str_replace('%h', $db->quote($_SESSION['imap_host'],'text'), $sql); - $sql = str_replace('%p', $db->quote($passwd,'text'), $sql); - $sql = str_replace('%o', $db->quote($curpass,'text'), $sql); - $res = $db->query($sql); + $res = $db->query($sql, $sql_vars); if (!$db->is_error()) { if (strtolower(substr(trim($query),0,6))=='select') { -- cgit v1.2.3