diff options
| author | Damien Regad <dregad@mantisbt.org> | 2022-01-22 23:36:31 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-22 23:36:31 +0100 |
| commit | 9289a3a89a4f278421af68bfa9739117337bdef4 (patch) | |
| tree | 4a1108b9dc8e756f54f4faed428b1c37d5a4bbc4 | |
| parent | c5415722049f36c446a4034d15f1d17943f11458 (diff) | |
| parent | 1d079fff12b872f9267dc018f6be870cf5805666 (diff) | |
| download | adodb-9289a3a89a4f278421af68bfa9739117337bdef4.tar.gz adodb-9289a3a89a4f278421af68bfa9739117337bdef4.tar.bz2 adodb-9289a3a89a4f278421af68bfa9739117337bdef4.zip | |
Merge pull request from GHSA-65mj-7c86-79jf
CVE-2021-3850: Prevent auth bypass with PostgreSQL connections
| -rw-r--r-- | drivers/adodb-postgres64.inc.php | 75 |
1 files changed, 44 insertions, 31 deletions
diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php index 9128467b..3f351f97 100644 --- a/drivers/adodb-postgres64.inc.php +++ b/drivers/adodb-postgres64.inc.php @@ -22,15 +22,6 @@ // security - hide paths if (!defined('ADODB_DIR')) die(); -function adodb_addslashes($s) -{ - $len = strlen($s); - if ($len == 0) return "''"; - if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted - - return "'".addslashes($s)."'"; -} - class ADODB_postgres64 extends ADOConnection{ var $databaseType = 'postgres64'; var $dataProvider = 'postgres'; @@ -682,35 +673,57 @@ class ADODB_postgres64 extends ADOConnection{ return $indexes; } - // returns true or false - // - // examples: - // $db->Connect("host=host1 user=user1 password=secret port=4341"); - // $db->Connect('host1','user1','secret'); - function _connect($str,$user='',$pwd='',$db='',$ctype=0) + /** + * Connect to a database. + * + * Examples: + * $db->Connect("host=host1 user=user1 password=secret port=4341"); + * $db->Connect('host1:4341', 'user1', 'secret'); + * + * @param string $str pg_connect() Connection string or Hostname[:port] + * @param string $user (Optional) The username to connect as. + * @param string $pwd (Optional) The password to connect with. + * @param string $db (Optional) The name of the database to start in when connected. + * @param int $ctype Connection type + * @return bool|null True if connected successfully, false if connection failed, or + * null if the PostgreSQL extension is not loaded. + */ + function _connect($str, $user='', $pwd='', $db='', $ctype=0) { - if (!function_exists('pg_connect')) return null; + if (!function_exists('pg_connect')) { + return null; + } $this->_errorMsg = false; + // If $user, $pwd and $db are all null, then $str is a pg_connect() + // connection string. Otherwise we expect it to be a hostname, + // with optional port separated by ':' if ($user || $pwd || $db) { - $user = adodb_addslashes($user); - $pwd = adodb_addslashes($pwd); - if (strlen($db) == 0) $db = 'template1'; - $db = adodb_addslashes($db); - if ($str) { - $host = explode(":", $str); - if ($host[0]) $str = "host=".adodb_addslashes($host[0]); - else $str = ''; - if (isset($host[1])) $str .= " port=$host[1]"; - else if (!empty($this->port)) $str .= " port=".$this->port; + // Hostname & port + if ($str) { + $host = explode(':', $str); + if ($host[0]) { + $conn['host'] = $host[0]; + } + if (isset($host[1])) { + $conn['port'] = (int)$host[1]; + } elseif (!empty($this->port)) { + $conn['port'] = $this->port; + } } - if ($user) $str .= " user=".$user; - if ($pwd) $str .= " password=".$pwd; - if ($db) $str .= " dbname=".$db; - } + $conn['user'] = $user; + $conn['password'] = $pwd; + // @TODO not sure why we default to 'template1', pg_connect() uses the username when dbname is empty + $conn['dbname'] = $db ?: 'template1'; - //if ($user) $linea = "user=$user host=$linea password=$pwd dbname=$db port=5432"; + // Generate connection string + $str = ''; + foreach ($conn as $param => $value) { + // Escaping single quotes and backslashes per pg_connect() documentation + $str .= $param . "='" . addcslashes($value, "'\\") . "' "; + } + } if ($ctype === 1) { // persistent $this->_connectionID = pg_pconnect($str); |
