mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #00219
[Bug 534172] Re: get_new_username() does not escape string used in SQL call
** Changed in: mahara
Status: Fix Committed => Fix Released
** Changed in: mahara/1.0
Status: Fix Committed => Fix Released
** Changed in: mahara/1.1
Status: Fix Committed => Fix Released
** Visibility changed to: Public
--
get_new_username() does not escape string used in SQL call
https://bugs.launchpad.net/bugs/534172
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Status in Mahara ePortfolio: Fix Released
Status in Mahara 1.0 series: Fix Released
Status in Mahara 1.1 series: Fix Released
Bug description:
Line 1217 in lib/user.php on master. The result of the call to substr is not escaped before being used in a SQL call. This means that if a user registers with a single quote in their name (such as Patty O'Furniture), a SQL error will be caused. This could allow someone to execute arbitrary SQL by specifying a name that begins with ';
A solution would be to use a placeholder in the offending SQL string.
Only affects Mahara 1.2 from the registration page, but the offending code is also used for xmlrpc functionality, which is present in earlier versions. In auth/xmlrpc/lib.php line 217 on master, if $remoteuser->username contained a single quote, the same problem would occur.