Issue #1201452 by Heine, mgifford: Potential Vulnerability In DatabaseConnection_mysql

ca38ade6 · alexpott · 616b2ac4 · ca38ade6
Commit ca38ade6 authored Nov 21, 2014 by alexpott
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

core/lib/Drupal/Core/Database/Driver/mysql/Connection.php core/lib/Drupal/Core/Database/Driver/mysql/Connection.php +4 -0

No files found.
--- a/core/lib/Drupal/Core/Database/Driver/mysql/Connection.php
+++ b/core/lib/Drupal/Core/Database/Driver/mysql/Connection.php
@@ -61,6 +61,10 @@ public static function open(array &$connection_options = array()) {
      // Default to TCP connection on port 3306.
      $dsn = 'mysql:host=' . $connection_options['host'] . ';port=' . (empty($connection_options['port']) ? 3306 : $connection_options['port']);
    }
+    // Character set is added to dsn to ensure PDO uses the proper character
+    // set when escaping. This has security implications. See
+    // https://www.drupal.org/node/1201452 for further discussion.
+    $dsn .= ';charset=utf8';
    if (!empty($connection_options['database'])) {
      $dsn .= ';dbname=' . $connection_options['database'];
    }