Joomla! Issue Tracker | Joomla! CMS #13825 - Escape quotes in $db->quoteName

Fixed in Code Base
2 Feb 2017
Medium
Build: staging
# 13825
Diff
csthomas:secur

Pending

User tests: Successful: Unsuccessful:

csthomas
31 Jan 2017

Summary of Changes

Escape quote char in $db->quoteName() method.

It can be considered as a little security fix,
but joomla (with correct sanitise aliases/columns) is secure also without this patch.

I based on:

Testing Instructions

Code review or
Create and execute each query for specified database type:

$db = JFactory::getDbo();
$q1 = $db->getQuery(true)->select($db->quoteName('title', 'protected`title'))->from('#__content')->where('id=1');

// Without patch it generate error on mysql but it works on other databases
$db->setQuery($q1)->loadAssoc();

$db = JFactory::getDbo();
$q2 = $db->getQuery(true)->select($db->quoteName('title', 'protected"title'))->from('#__content')->where('id=1');

// Without patch it generate error on postgresql but it works on other databases
$db->setQuery($q2)->loadAssoc();

$db = JFactory::getDbo();
$q3 = $db->getQuery(true)->select($db->quoteName('title', 'protected]title'))->from('#__content')->where('id=1');

// Without patch it generate error on mssql but it works on other databases
$db->setQuery($q3)->loadAssoc();

Expected result - valid queries

on MySQL
- SELECT title AS `protected``title` FROM #__content where id=1
on postgreSQL
- SELECT title AS "protected""title" FROM #__content where id=1
on MSSQL
- SELECT title AS [protected]]title] FROM #__content where id=1

Actual result - invalid queries

on MySQL
- SELECT title AS `protected`title` FROM #__content where id=1
on postgreSQL
- SELECT title AS "protected"title" FROM #__content where id=1
on MSSQL
- SELECT title AS [protected]title] FROM #__content where id=1

Documentation Changes Required

2305cf3 31 Jan 2017

Security fix for quoteName

csthomas - open - 31 Jan 2017

csthomas - change - 31 Jan 2017

Status

New

⇒

Pending

joomla-cms-bot - change - 31 Jan 2017

Category

⇒

Libraries

PhilETaylor - comment - 31 Jan 2017

It can be considered as a little security fix,

To quote someone else (@mbabker):

it looks like a hardening, not a vulnerability... at least that's the way i read it

csthomas - change - 31 Jan 2017

The description was changed

csthomas - edited - 31 Jan 2017

beat - comment - 1 Feb 2017

Reviewed source code, and looks ok.
Based on MSSQL official doc at Microsoft, second case seems ok too:
https://technet.microsoft.com/en-us/library/ms176027(v=sql.105).aspx#

csthomas - edited - 1 Feb 2017

csthomas - comment - 1 Feb 2017

Great, but as usual we need 2 tests, I think that you review can be used as success test.
You can mark it as success at https://issues.joomla.org/tracker/joomla-cms/13825

marrouchi - comment - 1 Feb 2017

I have tested this item ✅ successfully on 2305cf3

Tested on MySQL.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13825.}

marrouchi - test_item - 1 Feb 2017 - Tested successfully

alikon - comment - 1 Feb 2017

I have tested this item ✅ successfully on 2305cf3

on mssql
on postgresql

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13825.}

alikon - test_item - 1 Feb 2017 - Tested successfully

wilsonge - change - 2 Feb 2017

The description was changed

Status	Pending	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2017-02-02 14:32:03
Closed_By		⇒	wilsonge
Labels	Added: ?

wilsonge - close - 2 Feb 2017

wilsonge - merge - 2 Feb 2017

wilsonge - comment - 2 Feb 2017

With a small degree of trepidation given previous attempts to modify this function. Merged

PhilETaylor - comment - 2 Feb 2017

With a small degree of trepidation given previous attempts to modify this function. Merged

Surely then its a good candidate for unit tests?

csthomas - comment - 2 Feb 2017

Then I will add a new PR with tests for quoteName for 3 dbs which will be tested by appveyor.

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#13825] - Escape quotes in $db->quoteName