Fix a security issue where text inputs in search queries were not quote-sanitized...

diff --git a/search.php b/search.php
index e22c3b6bb79a2e5c3868db4deac12a955b66db6b..119b5388ece39c7c4ebf73952f51d69b453c9662 100644 (file)
--- a/search.php
+++ b/search.php
@@ -188,6 +188,7 @@ if ($_REQUEST['do'] == 'process')
                                continue;
                        }
                        
+                       $word = str_replace("'", "\'", $word);
                        if ($bugsys->in['mode'] == MODE_ALL)
                        {
                                $querybuild['text'] .= " +$word";
@@ -345,7 +346,8 @@ if ($_REQUEST['do'] == 'process')
                        }
                        else if ($field['type'] == 'input_text')
                        {
-                               $querybuild[] = "AND bug.custom$field[fieldid] LIKE '%" . $bugsys->in["custom$field[fieldid]"] . "%'";
+                               $like = str_replace("'", "\'", $bugsys->in["custom$field[fieldid]"]);
+                               $querybuild[] = "AND bug.custom$field[fieldid] LIKE '%$like%'";
                        }
                        else if ($field['type'] == 'select_single' AND $bugsys->in["custom$field[fieldid]"] != -1)
                        {