summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Regad <dregad@mantisbt.org>2022-01-22 23:36:31 +0100
committerGitHub <noreply@github.com>2022-01-22 23:36:31 +0100
commit9289a3a89a4f278421af68bfa9739117337bdef4 (patch)
tree4a1108b9dc8e756f54f4faed428b1c37d5a4bbc4
parentc5415722049f36c446a4034d15f1d17943f11458 (diff)
parent1d079fff12b872f9267dc018f6be870cf5805666 (diff)
downloadadodb-9289a3a89a4f278421af68bfa9739117337bdef4.tar.gz
adodb-9289a3a89a4f278421af68bfa9739117337bdef4.tar.bz2
adodb-9289a3a89a4f278421af68bfa9739117337bdef4.zip
Merge pull request from GHSA-65mj-7c86-79jf
CVE-2021-3850: Prevent auth bypass with PostgreSQL connections
-rw-r--r--drivers/adodb-postgres64.inc.php75
1 files changed, 44 insertions, 31 deletions
diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php
index 9128467b..3f351f97 100644
--- a/drivers/adodb-postgres64.inc.php
+++ b/drivers/adodb-postgres64.inc.php
@@ -22,15 +22,6 @@
// security - hide paths
if (!defined('ADODB_DIR')) die();
-function adodb_addslashes($s)
-{
- $len = strlen($s);
- if ($len == 0) return "''";
- if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted
-
- return "'".addslashes($s)."'";
-}
-
class ADODB_postgres64 extends ADOConnection{
var $databaseType = 'postgres64';
var $dataProvider = 'postgres';
@@ -682,35 +673,57 @@ class ADODB_postgres64 extends ADOConnection{
return $indexes;
}
- // returns true or false
- //
- // examples:
- // $db->Connect("host=host1 user=user1 password=secret port=4341");
- // $db->Connect('host1','user1','secret');
- function _connect($str,$user='',$pwd='',$db='',$ctype=0)
+ /**
+ * Connect to a database.
+ *
+ * Examples:
+ * $db->Connect("host=host1 user=user1 password=secret port=4341");
+ * $db->Connect('host1:4341', 'user1', 'secret');
+ *
+ * @param string $str pg_connect() Connection string or Hostname[:port]
+ * @param string $user (Optional) The username to connect as.
+ * @param string $pwd (Optional) The password to connect with.
+ * @param string $db (Optional) The name of the database to start in when connected.
+ * @param int $ctype Connection type
+ * @return bool|null True if connected successfully, false if connection failed, or
+ * null if the PostgreSQL extension is not loaded.
+ */
+ function _connect($str, $user='', $pwd='', $db='', $ctype=0)
{
- if (!function_exists('pg_connect')) return null;
+ if (!function_exists('pg_connect')) {
+ return null;
+ }
$this->_errorMsg = false;
+ // If $user, $pwd and $db are all null, then $str is a pg_connect()
+ // connection string. Otherwise we expect it to be a hostname,
+ // with optional port separated by ':'
if ($user || $pwd || $db) {
- $user = adodb_addslashes($user);
- $pwd = adodb_addslashes($pwd);
- if (strlen($db) == 0) $db = 'template1';
- $db = adodb_addslashes($db);
- if ($str) {
- $host = explode(":", $str);
- if ($host[0]) $str = "host=".adodb_addslashes($host[0]);
- else $str = '';
- if (isset($host[1])) $str .= " port=$host[1]";
- else if (!empty($this->port)) $str .= " port=".$this->port;
+ // Hostname & port
+ if ($str) {
+ $host = explode(':', $str);
+ if ($host[0]) {
+ $conn['host'] = $host[0];
+ }
+ if (isset($host[1])) {
+ $conn['port'] = (int)$host[1];
+ } elseif (!empty($this->port)) {
+ $conn['port'] = $this->port;
+ }
}
- if ($user) $str .= " user=".$user;
- if ($pwd) $str .= " password=".$pwd;
- if ($db) $str .= " dbname=".$db;
- }
+ $conn['user'] = $user;
+ $conn['password'] = $pwd;
+ // @TODO not sure why we default to 'template1', pg_connect() uses the username when dbname is empty
+ $conn['dbname'] = $db ?: 'template1';
- //if ($user) $linea = "user=$user host=$linea password=$pwd dbname=$db port=5432";
+ // Generate connection string
+ $str = '';
+ foreach ($conn as $param => $value) {
+ // Escaping single quotes and backslashes per pg_connect() documentation
+ $str .= $param . "='" . addcslashes($value, "'\\") . "' ";
+ }
+ }
if ($ctype === 1) { // persistent
$this->_connectionID = pg_pconnect($str);