From aa1cc39566e4737963083587ac0b262a1a08c11c Mon Sep 17 00:00:00 2001
From: alec <alec@208e9e7b-5314-0410-a742-e7e81cd9613c>
Date: Thu, 7 Oct 2010 07:07:14 +0000
Subject: - Fixed SQL Injection in SQL driver when using %p or %o variables in
 query (#1487034)

git-svn-id: https://svn.roundcube.net/trunk@4058 208e9e7b-5314-0410-a742-e7e81cd9613c
---
 plugins/password/drivers/sql.php | 19 ++++++++++++++++---
 plugins/password/package.xml     | 20 +++++++++++++++++---
 2 files changed, 33 insertions(+), 6 deletions(-)

(limited to 'plugins')

diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php
index 8677f231c..31686c76f 100644
--- a/plugins/password/drivers/sql.php
+++ b/plugins/password/drivers/sql.php
@@ -105,15 +105,28 @@ function password_save($curpass, $passwd)
 	    $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql);
     }
 
+    // Handle clear text passwords securely (#1487034)
+    $sql_vars = array();
+    if (preg_match_all('/%[p|o]/', $sql, $m)) {
+        foreach ($m[0] as $var) {
+            if ($var == '%p') {
+                $sql = preg_replace('/%p/', '?', $sql, 1);
+                $sql_vars[] = (string) $passwd;
+            }
+            else { // %o
+                $sql = preg_replace('/%o/', '?', $sql, 1);
+                $sql_vars[] = (string) $curpass;
+            }
+        }
+    }
+
     // at least we should always have the local part
     $sql = str_replace('%l', $db->quote($rcmail->user->get_username('local'), 'text'), $sql);
     $sql = str_replace('%d', $db->quote($rcmail->user->get_username('domain'), 'text'), $sql);
     $sql = str_replace('%u', $db->quote($_SESSION['username'],'text'), $sql);
     $sql = str_replace('%h', $db->quote($_SESSION['imap_host'],'text'), $sql);
-    $sql = str_replace('%p', $db->quote($passwd,'text'), $sql);
-    $sql = str_replace('%o', $db->quote($curpass,'text'), $sql);
 
-    $res = $db->query($sql);
+    $res = $db->query($sql, $sql_vars);
 
     if (!$db->is_error()) {
 	    if (strtolower(substr(trim($query),0,6))=='select') {
diff --git a/plugins/password/package.xml b/plugins/password/package.xml
index 1b754d9d3..38aa9c12a 100644
--- a/plugins/password/package.xml
+++ b/plugins/password/package.xml
@@ -15,10 +15,10 @@
 		<email>alec@alec.pl</email>
 		<active>yes</active>
 	</lead>
-	<date>2010-09-30</date>
+	<date>2010-10-07</date>
 	<time>09:00:00</time>
 	<version>
-		<release>1.9</release>
+		<release>2.0</release>
 		<api>1.6</api>
 	</version>
 	<stability>
@@ -27,7 +27,7 @@
 	</stability>
 	<license uri="http://www.gnu.org/licenses/gpl-2.0.html">GNU GPLv2</license>
 	<notes>
-- Added password_ldap_lchattr option (#1486927)
+- Fixed SQL Injection in SQL driver when using %p or %o variables in query (#1487034)
     </notes>
 	<contents>
 		<dir baseinstalldir="/" name="/">
@@ -186,5 +186,19 @@
 - Added extended error messages in Poppassd driver (#1486704)
             </notes>
         </release>
+        <release>
+	        <version>
+		        <release>1.9</release>
+		        <api>1.6</api>
+	        </version>
+	        <stability>
+		        <release>stable</release>
+		        <api>stable</api>
+	        </stability>
+	        <license uri="http://www.gnu.org/licenses/gpl-2.0.html">GNU GPLv2</license>
+	        <notes>
+- Added password_ldap_lchattr option (#1486927)
+            </notes>
+        </release>
     </changelog>
 </package>
-- 
cgit v1.2.3