diff --git a/includes/database/database.inc b/includes/database/database.inc index 4539b37..520aedb 100644 --- a/includes/database/database.inc +++ b/includes/database/database.inc @@ -541,6 +541,20 @@ abstract class DatabaseConnection extends PDO { } /** + * Process a query comment string and ensure it does not include strings that + * might terminate the comment early. + * + * @param $string + * The query comment string. + * + * @return + * A cleaned up version of the query comment string. + */ + public function filterComment($string = '') { + return preg_replace('/(\/\*\s*)|(\s*\*\/)/', '', $string); + } + + /** * Executes a query string against the database. * * This method provides a central handler for the actual execution of every diff --git a/includes/database/mysql/query.inc b/includes/database/mysql/query.inc index f7fb52f..03040f8 100644 --- a/includes/database/mysql/query.inc +++ b/includes/database/mysql/query.inc @@ -44,6 +44,8 @@ class InsertQuery_mysql extends InsertQuery { public function __toString() { // Create a comments string to prepend to the query. $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Sanitise the comment string so as to avoid SQL injection attacks. + $comments = $this->connection->filterComment($comments); // Default fields are always placed first for consistency. $insert_fields = array_merge($this->defaultFields, $this->insertFields); @@ -94,6 +96,8 @@ class TruncateQuery_mysql extends TruncateQuery { if ($this->connection->inTransaction()) { // Create a comments string to prepend to the query. $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Sanitise the comment string so as to avoid SQL injection attacks. + $comments = $this->connection->filterComment($comments); return $comments . 'DELETE FROM {' . $this->connection->escapeTable($this->table) . '}'; } else { diff --git a/includes/database/pgsql/query.inc b/includes/database/pgsql/query.inc index fe7909e..7bbc7c2 100644 --- a/includes/database/pgsql/query.inc +++ b/includes/database/pgsql/query.inc @@ -105,6 +105,8 @@ class InsertQuery_pgsql extends InsertQuery { public function __toString() { // Create a comments string to prepend to the query. $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Sanitise the comment string so as to avoid SQL injection attacks. + $comments = $this->connection->filterComment($comments); // Default fields are always placed first for consistency. $insert_fields = array_merge($this->defaultFields, $this->insertFields); diff --git a/includes/database/query.inc b/includes/database/query.inc index 7f3e9ff..4a5c8e0 100644 --- a/includes/database/query.inc +++ b/includes/database/query.inc @@ -361,6 +361,9 @@ abstract class Query implements QueryPlaceholderInterface { * for easier debugging and allows you to more easily find where a query * with a performance problem is being generated. * + * The comment string will be sanitized to remove * / and other characters + * that may terminate the string early so as to avoid SQL injection attacks. + * * @param $comment * The comment string to be inserted into the query. * @@ -626,6 +629,8 @@ class InsertQuery extends Query { // Create a comments string to prepend to the query. $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Sanitise the comment string so as to avoid SQL injection attacks. + $comments = $this->connection->filterComment($comments); // Default fields are always placed first for consistency. $insert_fields = array_merge($this->defaultFields, $this->insertFields); @@ -818,6 +823,8 @@ class DeleteQuery extends Query implements QueryConditionInterface { // Create a comments string to prepend to the query. $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Sanitise the comment string so as to avoid SQL injection attacks. + $comments = $this->connection->filterComment($comments); $query = $comments . 'DELETE FROM {' . $this->connection->escapeTable($this->table) . '} '; @@ -886,6 +893,8 @@ class TruncateQuery extends Query { public function __toString() { // Create a comments string to prepend to the query. $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Sanitise the comment string so as to avoid SQL injection attacks. + $comments = $this->connection->filterComment($comments); return $comments . 'TRUNCATE {' . $this->connection->escapeTable($this->table) . '} '; } @@ -1114,6 +1123,8 @@ class UpdateQuery extends Query implements QueryConditionInterface { // Create a comments string to prepend to the query. $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Sanitise the comment string so as to avoid SQL injection attacks. + $comments = $this->connection->filterComment($comments); // Expressions take priority over literal fields, so we process those first // and remove any literal fields that conflict. diff --git a/includes/database/select.inc b/includes/database/select.inc index 6e4b0dc..4551054 100644 --- a/includes/database/select.inc +++ b/includes/database/select.inc @@ -1442,6 +1442,8 @@ class SelectQuery extends Query implements SelectQueryInterface { // Create a comments string to prepend to the query. $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Sanitise the comment string so as to avoid SQL injection attacks. + $comments = $this->connection->filterComment($comments); // SELECT $query = $comments . 'SELECT '; diff --git a/includes/database/sqlite/query.inc b/includes/database/sqlite/query.inc index d456afa..dd490cf 100644 --- a/includes/database/sqlite/query.inc +++ b/includes/database/sqlite/query.inc @@ -34,6 +34,8 @@ class InsertQuery_sqlite extends InsertQuery { public function __toString() { // Create a comments string to prepend to the query. $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Sanitise the comment string so as to avoid SQL injection attacks. + $comments = $this->connection->filterComment($comments); // Produce as many generic placeholders as necessary. $placeholders = array_fill(0, count($this->insertFields), '?'); @@ -150,6 +152,8 @@ class TruncateQuery_sqlite extends TruncateQuery { public function __toString() { // Create a comments string to prepend to the query. $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Sanitise the comment string so as to avoid SQL injection attacks. + $comments = $this->connection->filterComment($comments); return $comments . 'DELETE FROM {' . $this->connection->escapeTable($this->table) . '} '; } diff --git a/modules/simpletest/tests/database_test.test b/modules/simpletest/tests/database_test.test index 2a086ce..5e2e87f 100644 --- a/modules/simpletest/tests/database_test.test +++ b/modules/simpletest/tests/database_test.test @@ -1310,6 +1310,27 @@ class DatabaseSelectTestCase extends DatabaseTestCase { } /** + * Test query COMMENT system against vulnerabilities. + */ + function testVulnerableComment() { + $query = db_select('test')->comment('Testing query comments */ SELECT nid FROM {node}; --'); + $name_field = $query->addField('test', 'name'); + $age_field = $query->addField('test', 'age', 'age'); + $result = $query->execute(); + + $num_records = 0; + foreach ($result as $record) { + $num_records++; + } + + $query = (string)$query; + $expected = "/* Testing query comments SELECT nid FROM {node}; -- */ SELECT test.name AS name, test.age AS age\nFROM \n{test} test"; + + $this->assertEqual($num_records, 4, t('Returned the correct number of rows.')); + $this->assertEqual($query, $expected, t('The flattened query contains the sanitised comment string.')); + } + + /** * Test basic conditionals on SELECT statements. */ function testSimpleSelectConditional() {