From 9a672c035f9bfb10aca00be32e1125973e624a58 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Wed, 24 Oct 2012 23:03:27 +0000 Subject: [PATCH] Fixes: - The character ' is not wanted in URLs generally, so secure it - Don't do compileUriCode() in whole SQL statement --- inc/db/lib-mysql3.php | 6 +++--- inc/libs/security_functions.php | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/inc/db/lib-mysql3.php b/inc/db/lib-mysql3.php index 4d7910d0b9..0f065e1189 100644 --- a/inc/db/lib-mysql3.php +++ b/inc/db/lib-mysql3.php @@ -587,13 +587,13 @@ function SQL_PREPARE_SQL_STRING ($sqlString, $enableCodes = TRUE) { // Is it already cached? if (!isset($GLOBALS['sql_strings']['' . $sqlString . ''])) { - // Compile URI codes+config+expression code - $sqlString2 = FILTER_COMPILE_EXPRESSION_CODE(FILTER_COMPILE_CONFIG(compileUriCode($sqlString))); + // Preserve escaping and compile URI codes+config+expression code + $sqlString2 = FILTER_COMPILE_EXPRESSION_CODE(FILTER_COMPILE_CONFIG($sqlString)); // Debug message //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'sqlString2=' . $sqlString2); - // Do final compilation + // Do final compilation and revert {ESCAPE} $GLOBALS['sql_strings']['' . $sqlString . ''] = doFinalCompilation($sqlString2, FALSE, $enableCodes); } else { // Log message diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php index 67aea96219..e73036ca9b 100644 --- a/inc/libs/security_functions.php +++ b/inc/libs/security_functions.php @@ -181,7 +181,7 @@ if (!isset($_POST)) { // Generate arrays which holds the relevante chars to replace $GLOBALS['security_chars'] = array( // The chars we are looking for... - 'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92)), + 'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92), chr(39)), // ... and we will replace to. 'to' => array( '{SLASH}', @@ -200,12 +200,13 @@ $GLOBALS['security_chars'] = array( '{CLOSE_INDEX}', '{DBL_DOT}', '{COMMENT}', - '{BACKSLASH}' + '{BACKSLASH}', + '{SQUOTE}' ), ); /* - * Characters allowed in URLs + * Characters allowed in booked URLs * * Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be * rejected because of the {SLASH}, {DOT} and all below listed items inside the URL. -- 2.39.5