Piwigo Bugtracker

Piwigo bug tracker has moved to Github

This bugtracker is kept to provide history on old issues.


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002971Piwigoimage processingpublic2013.10.10 13:432014.04.16 07:13
Reporterobones 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.5.2 
Target VersionFixed in Version2.7.0beta1 
Summary0002971: i.php should escape source location
DescriptionHello,

One can modify sync_chars_regex so that it includes the apostrophe character. This is useful when you have such a character in your existing file tree, such as "Surfer's Paradise" for instance.
The problem is that i.php does the following query (line 470):

    $query = '
SELECT *
  FROM '.$prefixeTable.'images
  WHERE path=\''.$page['src_location'].'\'
;';

In this case, the source location contains an apostrophe that gets sent directly to mysql. This leads to an error on most cases, but might as well lead to a SQL injection issue.
It is thus necessary to escape the location, by calling pwg_db_real_escape_string, thus leading to the following code:

    $query = '
SELECT *
  FROM '.$prefixeTable.'images
  WHERE path=\''.pwg_db_real_escape_string($page['src_location']).'\'
;';

With this change the thumbnails for images with apostrophes are generated correctly and one no longer faces the SQL injection risk

This came from the following forum discussion (in French):

http://fr.piwigo.org/forum/viewtopic.php?pid=205495 [^]
TagsNo tags attached.
browserany
Database engine and version
PHP version
Web serverApache 1.3.x
Attached Files

- Relationships
related to 0002762assignedplg Using the ' (aphostrophe) character in filenames/directory names let's sql queries fail 

-  Notes
(0007413)
svn (reporter)
2014.04.16 07:13

[Subversion] r28198 by rvelices on trunk

-----[Subversion commit log]----------------------------------------------------
bug 2971: i.php should escape source location

- Issue History
Date Modified Username Field Change
2013.10.10 13:43 obones New Issue
2013.10.10 13:43 obones browser => any
2013.10.10 13:43 obones Web server => Apache 1.3.x
2014.01.24 14:43 flop25 Relationship added related to 0002762
2014.04.16 07:13 svn Checkin
2014.04.16 07:13 svn Note Added: 0007413
2014.04.16 07:13 rvelices Status new => closed
2014.04.16 07:13 rvelices Resolution open => fixed
2014.04.16 07:13 rvelices Fixed in Version => 2.7.0beta1


Copyright © 2000 - 2019 MantisBT Team
Contact
Powered by Mantis Bugtracker