Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2357249 by Stefan Horst, greggles, larowlan, David_Rothstein, klausi: Fixed SA-CORE-2014-005 (SQL injection).

8.0.x 8.0.0-beta2
Nathaniel Catchpole 2014-10-15 17:39:53 +01:00
parent 5564d2cd94
commit 19b32a3ab4
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/lib/Drupal/Core/Database/Connection.php
View File

@ -596,7 +596,7 @@ abstract class Connection implements \Serializable {
// to expand it out into a comma-delimited set of placeholders. // to expand it out into a comma-delimited set of placeholders.
foreach (array_filter($args, 'is_array') as $key => $data) { foreach (array_filter($args, 'is_array') as $key => $data) {
$new_keys = array(); $new_keys = array();
foreach ($data as $i => $value) { foreach (array_values($data) as $i => $value) {
// This assumes that there are no other placeholders that use the same // This assumes that there are no other placeholders that use the same
// name. For example, if the array placeholder is defined as :example // name. For example, if the array placeholder is defined as :example
// and there is already an :example_2 placeholder, this will generate // and there is already an :example_2 placeholder, this will generate

30
core/modules/system/src/Tests/Database/QueryTest.php
View File

@ -7,6 +7,8 @@
namespace Drupal\system\Tests\Database; namespace Drupal\system\Tests\Database;
use Drupal\Core\Database\DatabaseExceptionWrapper;
/** /**
* Tests Drupal's extended prepared statement syntax.. * Tests Drupal's extended prepared statement syntax..
* *
@ -21,4 +23,32 @@ class QueryTest extends DatabaseTestBase {
$this->assertEqual(count($names), 3, 'Correct number of names returned'); $this->assertEqual(count($names), 3, 'Correct number of names returned');
} }
/**
* Tests SQL injection via database query array arguments.
*/
public function testArrayArgumentsSQLInjection() {
// Attempt SQL injection and verify that it does not work.
$condition = array(
"1 ;INSERT INTO {test} SET name = 'test12345678'; -- " => '',
'1' => '',
);
try {
db_query("SELECT * FROM {test} WHERE name = :name", array(':name' => $condition))->fetchObject();
$this->fail('SQL injection attempt via array arguments should result in a database exception.');
}
catch (DatabaseExceptionWrapper $e) {
$this->pass('SQL injection attempt via array arguments should result in a database exception.');
}
// Test that the insert query that was used in the SQL injection attempt did
// not result in a row being inserted in the database.
$result = db_select('test')
->condition('name', 'test12345678')
->countQuery()
->execute()
->fetchField();
$this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
}
} }