Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2024-10-01 01:26:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

using table name sanitation function to ensure no weird characters are used by accident (e.g. by oddly configured table prefix)

Browse Source
This commit is contained in:
El RIDO 2016-07-11 14:33:45 +02:00
parent 3b3b5277eb
commit c33c50f775
2 changed files with 13 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
composer.json
View File

@ -1,7 +1,6 @@
{ {
"name": "privatebin/privatebin", "name": "privatebin/privatebin",
"description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode.", "description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode.",
"version": "0.22",
"repositories": [ "repositories": [
{ {
"type": "vcs", "type": "vcs",

29
lib/privatebin/db.php
View File

@ -606,7 +606,7 @@ class privatebin_db extends privatebin_abstract
*/ */
private static function _sanitizeIdentifier($identifier) private static function _sanitizeIdentifier($identifier)
{ {
return self::$_prefix . preg_replace('/[^A-Za-z0-9_]+/', '', $identifier); return preg_replace('/[^A-Za-z0-9_]+/', '', self::$_prefix . $identifier);
} }
/** /**
@ -624,45 +624,42 @@ class privatebin_db extends privatebin_abstract
case '0.21': case '0.21':
// create the meta column if necessary (pre 0.21 change) // create the meta column if necessary (pre 0.21 change)
try { try {
self::$_db->exec('SELECT meta FROM ' . self::$_prefix . 'paste LIMIT 1;'); self::$_db->exec('SELECT meta FROM ' . self::_sanitizeIdentifier('paste') . ' LIMIT 1;');
} catch (PDOException $e) { } catch (PDOException $e) {
self::$_db->exec('ALTER TABLE ' . self::$_prefix . 'paste ADD COLUMN meta TEXT;'); self::$_db->exec('ALTER TABLE ' . self::_sanitizeIdentifier('paste') . ' ADD COLUMN meta TEXT;');
} }
// SQLite only allows one ALTER statement at a time... // SQLite only allows one ALTER statement at a time...
self::$_db->exec( self::$_db->exec(
'ALTER TABLE ' . self::$_prefix . 'paste ADD COLUMN attachment MEDIUMBLOB;' 'ALTER TABLE ' . self::_sanitizeIdentifier('paste') . ' ADD COLUMN attachment MEDIUMBLOB;'
); );
self::$_db->exec( self::$_db->exec(
'ALTER TABLE ' . self::$_prefix . 'paste ADD COLUMN attachmentname BLOB;' 'ALTER TABLE ' . self::_sanitizeIdentifier('paste') . ' ADD COLUMN attachmentname BLOB;'
); );
// SQLite doesn't support MODIFY, but it allows TEXT of similar // SQLite doesn't support MODIFY, but it allows TEXT of similar
// size as BLOB, so there is no need to change it there // size as BLOB, so there is no need to change it there
if (self::$_type !== 'sqlite') if (self::$_type !== 'sqlite')
{ {
self::$_db->exec( self::$_db->exec(
'ALTER TABLE ' . self::$_prefix . 'paste ' . 'ALTER TABLE ' . self::_sanitizeIdentifier('paste') .
'ADD PRIMARY KEY (dataid),' . ' ADD PRIMARY KEY (dataid), MODIFY COLUMN data BLOB;'
'MODIFY COLUMN data BLOB;'
); );
self::$_db->exec( self::$_db->exec(
'ALTER TABLE ' . self::$_prefix . 'comment ' . 'ALTER TABLE ' . self::_sanitizeIdentifier('comment') .
'ADD PRIMARY KEY (dataid),' . ' ADD PRIMARY KEY (dataid), MODIFY COLUMN data BLOB, ' .
'MODIFY COLUMN data BLOB, ' . 'MODIFY COLUMN nickname BLOB, MODIFY COLUMN vizhash BLOB;'
'MODIFY COLUMN nickname BLOB, ' .
'MODIFY COLUMN vizhash BLOB;'
); );
} }
else else
{ {
self::$_db->exec( self::$_db->exec(
'CREATE UNIQUE INDEX primary ON ' . self::$_prefix . 'paste(dataid);' 'CREATE UNIQUE INDEX primary ON ' . self::_sanitizeIdentifier('paste') . '(dataid);'
); );
self::$_db->exec( self::$_db->exec(
'CREATE UNIQUE INDEX primary ON ' . self::$_prefix . 'comment(dataid);' 'CREATE UNIQUE INDEX primary ON ' . self::_sanitizeIdentifier('comment') . '(dataid);'
); );
} }
self::$_db->exec( self::$_db->exec(
'CREATE INDEX parent ON ' . self::$_prefix . 'comment(pasteid);' 'CREATE INDEX parent ON ' . self::_sanitizeIdentifier('comment') . '(pasteid);'
); );
} }
} }