Bugfix: SQL injection in custom field enum/set types

Reported by Peng Zhou @zpbrent

Bugfix: SQL injection in custom field enum/set types
16e7a94f · Gary Allan · 470a175f · 16e7a94f · 16e7a94f
Unverified Commit 16e7a94f authored Mar 5, 2023 by Gary Allan
--- a/functions/classes/class.Admin.php
+++ b/functions/classes/class.Admin.php
@@ -673,7 +673,7 @@ class Admin extends Common_functions {
 	    # set type definition and size of needed
 	    if($field['fieldType']=="bool" || $field['fieldType']=="text" || $field['fieldType']=="date" || $field['fieldType']=="datetime")	{ $field['ftype'] = $field['fieldType']; }
-	    else																																{ $field['ftype'] = $field['fieldType']."(".$field['fieldSize'].")"; }
+	    else																																{ $field['ftype'] = $field['fieldType']."( :enumset )"; }
 	    # default value null
 	    $field['fieldDefault'] = is_blank($field['fieldDefault']) ? NULL : $field['fieldDefault'];
@@ -709,6 +709,7 @@ class Admin extends Common_functions {
 	    $params = array();
 	    if (strpos($query, ":default")>0)	$params['default'] = $field['fieldDefault'];
 	    if (strpos($query, ":comment")>0)	$params['comment'] = $field['Comment'];
+	    if (strpos($query, ":enumset")>0)	$params['enumset'] = $field['fieldSize'];
 		# execute
 		try { $res = $this->Database->runQuery($query, $params); }

--- a/misc/CHANGELOG
+++ b/misc/CHANGELOG
@@ -7,6 +7,7 @@
    Security Fixes:
    ----------------------------
+    + SQL injection in custom field enum/set types;
    + XSS (reflected) in 'bw-calulator-result.php';
    + XSS (reflected) by invalid email address response;
    + XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);