Bugfix: SQL injection in custom field enum/set types

Reported by Peng Zhou @zpbrent
phpipam · Mar 5, 2023 · 16e7a94 · 16e7a94 · Barsug · Jul 14, 2023
1 parent 470a175
commit 16e7a94
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/functions/classes/class.Admin.php b/functions/classes/class.Admin.php
@@ -673,7 +673,7 @@ public function update_custom_field_definition ($field) {
 
 	    # set type definition and size of needed
 	    if($field['fieldType']=="bool" || $field['fieldType']=="text" || $field['fieldType']=="date" || $field['fieldType']=="datetime")	{ $field['ftype'] = $field['fieldType']; }
-	    else																																{ $field['ftype'] = $field['fieldType']."(".$field['fieldSize'].")"; }
+	    else																																{ $field['ftype'] = $field['fieldType']."( :enumset )"; }
 
 	    # default value null
 	    $field['fieldDefault'] = is_blank($field['fieldDefault']) ? NULL : $field['fieldDefault'];
@@ -709,6 +709,7 @@ public function update_custom_field_definition ($field) {
 	    $params = array();
 	    if (strpos($query, ":default")>0)	$params['default'] = $field['fieldDefault'];
 	    if (strpos($query, ":comment")>0)	$params['comment'] = $field['Comment'];
+	    if (strpos($query, ":enumset")>0)	$params['enumset'] = $field['fieldSize'];
 
 		# execute
 		try { $res = $this->Database->runQuery($query, $params); }

diff --git a/misc/CHANGELOG b/misc/CHANGELOG
@@ -7,6 +7,7 @@
 
     Security Fixes:
     ----------------------------
+    + SQL injection in custom field enum/set types;
     + XSS (reflected) in 'bw-calulator-result.php';
     + XSS (reflected) by invalid email address response;
     + XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);