From da68aae224e1627dd58250e7ddafd0dd9b1c5d3f Mon Sep 17 00:00:00 2001 From: Yannick Warnier Date: Tue, 13 Jan 2015 12:17:03 +0100 Subject: [PATCH] Fix date filtering issue caused by better escape_string() against SQL injections - refs #7440 --- main/inc/lib/database.lib.php | 2 ++ main/inc/lib/internationalization.lib.php | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/main/inc/lib/database.lib.php b/main/inc/lib/database.lib.php index 91bce86f11..8e6576284d 100755 --- a/main/inc/lib/database.lib.php +++ b/main/inc/lib/database.lib.php @@ -475,6 +475,7 @@ class Database public static function escape_string($string, $connection = null, $addFix = true) { // Fixes security problem when there's no "" or '' between a variable. + // See #7440 for more info if ($addFix) { $string = "__@$string@__"; } @@ -686,6 +687,7 @@ class Database /** * Removes "__@" prefix and @__ suffix added by Database::escape_string() + * See #7440 for more info * @param string $query * @return mixed */ diff --git a/main/inc/lib/internationalization.lib.php b/main/inc/lib/internationalization.lib.php index 2ab6ee5ca5..39c8f00c5c 100755 --- a/main/inc/lib/internationalization.lib.php +++ b/main/inc/lib/internationalization.lib.php @@ -571,6 +571,10 @@ function api_get_utc_datetime($time = null, $return_null_if_invalid_date = false } return gmdate('Y-m-d H:i:s'); } + if (preg_match('/__@(.*)@__/', $time)) { + // unfilter special security fix for SQL injection, see Database::fixQuery() + $time = str_replace(array("__@","@__"), "", $time); + } // If time is a timestamp, return directly in utc if (is_numeric($time)) { $time = intval($time);