Merge pull request #1791 from rolfen/sql-password-plugin-fix

Custom SQL password plugin - SQL injection vulnerability fix
This commit is contained in:
RainLoop Team 2018-10-21 00:33:35 +03:00 committed by GitHub
commit 495fb486e1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 8 deletions

View file

@ -146,7 +146,7 @@ class ChangePasswordCustomSqlDriver implements \RainLoop\Providers\ChangePasswor
$dsn = 'mysql:host='.$this->mHost.';dbname='.$this->mDatabase.';charset=utf8'; $dsn = 'mysql:host='.$this->mHost.';dbname='.$this->mDatabase.';charset=utf8';
$options = array( $options = array(
PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_EMULATE_PREPARES => true,
PDO::ATTR_PERSISTENT => true, PDO::ATTR_PERSISTENT => true,
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
); );
@ -160,15 +160,52 @@ class ChangePasswordCustomSqlDriver implements \RainLoop\Providers\ChangePasswor
$sEmailUser = \MailSo\Base\Utils::GetAccountNameFromEmail($sEmail); $sEmailUser = \MailSo\Base\Utils::GetAccountNameFromEmail($sEmail);
$sEmailDomain = \MailSo\Base\Utils::GetDomainFromEmail($sEmail); $sEmailDomain = \MailSo\Base\Utils::GetDomainFromEmail($sEmail);
//simple check // some variables cannot be prepared
$this->mSql = str_replace(array(
':table'
), array(
$this->mTable
), $this->mSql);
$old = array(':email', ':oldpass', ':newpass', ':domain', ':username', ':table' ); $placeholders = array(
$new = array($sEmail, $sPrevPassword, $sNewPassword, $sEmailDomain, $sEmailUser, $this->mTable); ':email' => $sEmail,
':oldpass' => $sPrevPassword,
':newpass' => $sNewPassword,
':domain' => $sEmailDomain,
':username' => $sEmailUser
);
$this->mSql = str_replace($old, $new, $this->mSql); // we have to check that all placehoders are used in the query, passing any unused placeholders will generate an error
$used_placeholders = array();
foreach($placeholders as $placeholder => $value) {
if(preg_match_all('/'.$placeholder . '(?![a-zA-Z0-9\-])'.'/', $this->mSql) === 1) {
// backwards-compabitibility: remove single and double quotes around placeholders
$this->mSql = str_replace('`'.$placeholder.'`', $placeholder, $this->mSql);
$this->mSql = str_replace("'".$placeholder."'", $placeholder, $this->mSql);
$this->mSql = str_replace('"'.$placeholder.'"', $placeholder, $this->mSql);
$used_placeholders[$placeholder] = $value;
}
}
$statement = $conn->prepare($this->mSql);
// everything is ready (hopefully), bind the values
foreach($used_placeholders as $placeholder => $value) {
$statement->bindValue($placeholder, $value);
}
// and execute
$mSqlReturn = $statement->execute();
/* can be used for debugging
ob_start();
$statement->debugDumpParams();
$r = ob_get_contents();
ob_end_clean();
$this->oLogger->Write($r);
*/
$update = $conn->prepare($this->mSql);
$mSqlReturn = $update->execute(array());
if ($mSqlReturn == true) if ($mSqlReturn == true)
{ {
$bResult = true; $bResult = true;

View file

@ -46,7 +46,7 @@ class ChangePasswordCustomSqlPlugin extends \RainLoop\Plugins\AbstractPlugin
\RainLoop\Plugins\Property::NewInstance('mTable')->SetLabel('MySQL Table'), \RainLoop\Plugins\Property::NewInstance('mTable')->SetLabel('MySQL Table'),
\RainLoop\Plugins\Property::NewInstance('mSql')->SetLabel('SQL statement') \RainLoop\Plugins\Property::NewInstance('mSql')->SetLabel('SQL statement')
->SetType(\RainLoop\Enumerations\PluginPropertyType::STRING_TEXT) ->SetType(\RainLoop\Enumerations\PluginPropertyType::STRING_TEXT)
->SetDescription('SQL statement (allowed wildcards :table, :email, :oldpass, :newpass, :domain, :username). When using MD5 OR SHA1 at tables, write it directly here as SQL functions. Fro non-SQL encryptions use another plugin or wait for new version.') ->SetDescription('SQL statement (allowed wildcards :table, :email, :oldpass, :newpass, :domain, :username). Use SQL functions for encryption.')
->SetDefaultValue('UPDATE :table SET password = md5(:newpass) WHERE domain = :domain AND username = :username and oldpass = md5(:oldpass)') ->SetDefaultValue('UPDATE :table SET password = md5(:newpass) WHERE domain = :domain AND username = :username and oldpass = md5(:oldpass)')
); );
} }