From 2d7e55a50366f24330d120db0faf3870bac2a171 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Thu, 26 Nov 2009 22:03:43 -0500 Subject: [PATCH] Fix a security issue where text inputs in search queries were not quote-sanitized. bug://report/185 --- search.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/search.php b/search.php index e22c3b6..119b538 100644 --- a/search.php +++ b/search.php @@ -188,6 +188,7 @@ if ($_REQUEST['do'] == 'process') continue; } + $word = str_replace("'", "\'", $word); if ($bugsys->in['mode'] == MODE_ALL) { $querybuild['text'] .= " +$word"; @@ -345,7 +346,8 @@ if ($_REQUEST['do'] == 'process') } else if ($field['type'] == 'input_text') { - $querybuild[] = "AND bug.custom$field[fieldid] LIKE '%" . $bugsys->in["custom$field[fieldid]"] . "%'"; + $like = str_replace("'", "\'", $bugsys->in["custom$field[fieldid]"]); + $querybuild[] = "AND bug.custom$field[fieldid] LIKE '%$like%'"; } else if ($field['type'] == 'select_single' AND $bugsys->in["custom$field[fieldid]"] != -1) { -- 2.22.5