BUGFIX Fixed SQL injection in Folder::findOrMake() parameter. Exploitable through Upload::, although unlikely to be set via user input.

This commit is contained in:
Ingo Schommer 2011-03-21 16:12:37 +13:00
parent 551bc5dc72
commit fef7c32535

View File

@ -42,7 +42,14 @@ class Folder extends File {
$item = null;
foreach($parts as $part) {
if(!$part) continue; // happens for paths with a trailing slash
$item = DataObject::get_one("Folder", "\"Name\" = '$part' AND \"ParentID\" = $parentID");
$item = DataObject::get_one(
"Folder",
sprintf(
"\"Name\" = '%s' AND \"ParentID\" = %d",
Convert::raw2sql($part),
(int)$parentID
)
);
if(!$item) {
$item = new Folder();
$item->ParentID = $parentID;