Commit 02a67863 authored by effulgentsia's avatar effulgentsia

Issue #2554229 by stefan.r, csabot3, Crell, pwolanin, YesCT, ircmaxell,...

Issue #2554229 by stefan.r, csabot3, Crell, pwolanin, YesCT, ircmaxell, greggles, larowlan, webchick: Port SQL Injection - Database API fixes from SA-CORE-2015-003 to Drupal 8
parent 5df20ac4
......@@ -529,7 +529,7 @@ public function makeComment($comments) {
* A sanitized version of the query comment string.
*/
protected function filterComment($comment = '') {
return preg_replace('/(\/\*\s*)|(\s*\*\/)/', '', $comment);
return strtr($comment, ['*' => ' * ']);
}
/**
......
......@@ -7,6 +7,7 @@
namespace Drupal\system\Tests\Database;
use Drupal\Core\Database\InvalidQueryException;
use Drupal\Core\Database\Database;
/**
* Tests the Select query builder.
......@@ -57,10 +58,47 @@ function testVulnerableComment() {
$records = $result->fetchAll();
$query = (string) $query;
$expected = "/* Testing query comments SELECT nid FROM {node}; -- */";
$expected = "/* Testing query comments * / SELECT nid FROM {node}; -- */ SELECT test.name AS name, test.age AS age\nFROM \n{test} test";
$this->assertEqual(count($records), 4, 'Returned the correct number of rows.');
$this->assertNotIdentical(FALSE, strpos($query, $expected), 'The flattened query contains the sanitised comment string.');
$connection = Database::getConnection();
foreach ($this->makeCommentsProvider() as $test_set) {
list($expected, $comments) = $test_set;
$this->assertEqual($expected, $connection->makeComment($comments));
}
}
/**
* Provides expected and input values for testVulnerableComment().
*/
function makeCommentsProvider() {
return [
[
'/* */ ',
[''],
],
// Try and close the comment early.
[
'/* Exploit * / DROP TABLE node; -- */ ',
['Exploit */ DROP TABLE node; --'],
],
// Variations on comment closing.
[
'/* Exploit * / * / DROP TABLE node; -- */ ',
['Exploit */*/ DROP TABLE node; --'],
],
[
'/* Exploit * * // DROP TABLE node; -- */ ',
['Exploit **// DROP TABLE node; --'],
],
// Try closing the comment in the second string which is appended.
[
'/* Exploit * / DROP TABLE node; --; Another try * / DROP TABLE node; -- */ ',
['Exploit */ DROP TABLE node; --', 'Another try */ DROP TABLE node; --'],
],
];
}
/**
......
......@@ -254,12 +254,12 @@ public function providerMakeComments() {
array(''),
),
array(
'/* Exploit * / DROP TABLE node; -- */ ',
'/* Exploit * / DROP TABLE node; -- */ ',
array('Exploit * / DROP TABLE node; --'),
),
array(
'/* Exploit DROP TABLE node; --; another comment */ ',
array('Exploit */ DROP TABLE node; --', 'another comment'),
'/* Exploit * / DROP TABLE node; --; another comment */ ',
array('Exploit * / DROP TABLE node; --', 'another comment'),
),
);
}
......@@ -286,8 +286,8 @@ public function testMakeComments($expected, $comment_array) {
public function providerFilterComments() {
return array(
array('', ''),
array('Exploit * / DROP TABLE node; --', 'Exploit * / DROP TABLE node; --'),
array('Exploit DROP TABLE node; --', 'Exploit */ DROP TABLE node; --'),
array('Exploit * / DROP TABLE node; --', 'Exploit * / DROP TABLE node; --'),
array('Exploit * / DROP TABLE node; --', 'Exploit */ DROP TABLE node; --'),
);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment