diff options
| author | Damien Regad <dregad@mantisbt.org> | 2025-07-19 18:37:59 +0200 |
|---|---|---|
| committer | Damien Regad <dregad@mantisbt.org> | 2025-08-03 17:57:49 +0200 |
| commit | 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 (patch) | |
| tree | 5719fff6a71c466b778c5ce08b92e6c3558c9ea8 | |
| parent | a568bfeb72d6b5942df747adc36b95165a083e60 (diff) | |
| download | adodb-5b8bd52cdcffefb4ecded1b399c98cfa516afe03.tar.gz adodb-5b8bd52cdcffefb4ecded1b399c98cfa516afe03.tar.bz2 adodb-5b8bd52cdcffefb4ecded1b399c98cfa516afe03.zip | |
Prevent SQL injection in sqlite3 driver
Use query parameters instead of injecting the table name in the SQL, in
the following methods:
- metaColumns()
- metaForeignKeys()
- metaIndexes()
Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf
| -rw-r--r-- | drivers/adodb-sqlite3.inc.php | 37 |
1 files changed, 15 insertions, 22 deletions
diff --git a/drivers/adodb-sqlite3.inc.php b/drivers/adodb-sqlite3.inc.php index 7e5f5ffd..564eec95 100644 --- a/drivers/adodb-sqlite3.inc.php +++ b/drivers/adodb-sqlite3.inc.php @@ -168,7 +168,9 @@ class ADODB_sqlite3 extends ADOConnection { if ($this->fetchMode !== false) { $savem = $this->SetFetchMode(false); } - $rs = $this->Execute("PRAGMA table_info('$table')"); + + $rs = $this->execute("PRAGMA table_info(?)", array($table)); + if (isset($savem)) { $this->SetFetchMode($savem); } @@ -222,9 +224,8 @@ class ADODB_sqlite3 extends ADOConnection { ) WHERE type != 'meta' AND sql NOTNULL - AND LOWER(name) ='" . strtolower($table) . "'"; - - $tableSql = $this->getOne($sql); + AND LOWER(name) = ?"; + $tableSql = $this->getOne($sql, [strtolower($table)]); $fkeyList = array(); $ylist = preg_split("/,+/",$tableSql); @@ -441,6 +442,7 @@ class ADODB_sqlite3 extends ADOConnection { $savem = $this->SetFetchMode(FALSE); } + $table = strtolower($table); $pragmaData = array(); /* @@ -449,26 +451,17 @@ class ADODB_sqlite3 extends ADOConnection { */ if ($primary) { - $sql = sprintf('PRAGMA table_info([%s]);', - strtolower($table) - ); - $pragmaData = $this->getAll($sql); + $sql = 'PRAGMA table_info(?)'; + $pragmaData = $this->getAll($sql, [$table]); } - /* - * Exclude the empty entry for the primary index - */ - $sqlite = "SELECT name,sql - FROM sqlite_master - WHERE type='index' - AND sql IS NOT NULL - AND LOWER(tbl_name)='%s'"; - - $SQL = sprintf($sqlite, - strtolower($table) - ); - - $rs = $this->execute($SQL); + // Exclude the empty entry for the primary index + $sql = "SELECT name,sql + FROM sqlite_master + WHERE type='index' + AND sql IS NOT NULL + AND LOWER(tbl_name)=?"; + $rs = $this->execute($sql, [$table]); if (!is_object($rs)) { if (isset($savem)) { |