From 16e7a94fb69412e569ccf6f2fe0a1f847309c922 Mon Sep 17 00:00:00 2001 From: Gary Allan Date: Sun, 5 Mar 2023 22:32:48 +0000 Subject: [PATCH] Bugfix: SQL injection in custom field enum/set types Reported by Peng Zhou @zpbrent --- functions/classes/class.Admin.php | 3 ++- misc/CHANGELOG | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/functions/classes/class.Admin.php b/functions/classes/class.Admin.php index f5fa9cef6..d2f5d8c82 100644 --- a/functions/classes/class.Admin.php +++ b/functions/classes/class.Admin.php @@ -673,7 +673,7 @@ public function update_custom_field_definition ($field) { # set type definition and size of needed if($field['fieldType']=="bool" || $field['fieldType']=="text" || $field['fieldType']=="date" || $field['fieldType']=="datetime") { $field['ftype'] = $field['fieldType']; } - else { $field['ftype'] = $field['fieldType']."(".$field['fieldSize'].")"; } + else { $field['ftype'] = $field['fieldType']."( :enumset )"; } # default value null $field['fieldDefault'] = is_blank($field['fieldDefault']) ? NULL : $field['fieldDefault']; @@ -709,6 +709,7 @@ public function update_custom_field_definition ($field) { $params = array(); if (strpos($query, ":default")>0) $params['default'] = $field['fieldDefault']; if (strpos($query, ":comment")>0) $params['comment'] = $field['Comment']; + if (strpos($query, ":enumset")>0) $params['enumset'] = $field['fieldSize']; # execute try { $res = $this->Database->runQuery($query, $params); } diff --git a/misc/CHANGELOG b/misc/CHANGELOG index 34821ae35..2cfd553d7 100755 --- a/misc/CHANGELOG +++ b/misc/CHANGELOG @@ -7,6 +7,7 @@ Security Fixes: ---------------------------- + + SQL injection in custom field enum/set types; + XSS (reflected) in 'bw-calulator-result.php'; + XSS (reflected) by invalid email address response; + XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);