- do not allow raw SQL through array[SQL] in db lib

- don't make sql request on invalid arguments in password reset form

Author: Marius Burkard

interface/lib/classes/db_mysql.inc.php

@@ -171,14 +171,10 @@ public function _build_query_string($sQuery = '') {
 					} elseif(is_null($sValue) || (is_string($sValue) && (strcmp($sValue, '#NULL#') == 0))) {
 						$sTxt = 'NULL';
 					} elseif(is_array($sValue)) {
-						if(isset($sValue['SQL'])) {
-							$sTxt = $sValue['SQL'];
-						} else {
-							$sTxt = '';
-							foreach($sValue as $sVal) $sTxt .= ',\'' . $this->escape($sVal) . '\'';
-							$sTxt = '(' . substr($sTxt, 1) . ')';
-							if($sTxt == '()') $sTxt = '(0)';
-						}
+						$sTxt = '';
+						foreach($sValue as $sVal) $sTxt .= ',\'' . $this->escape($sVal) . '\'';
+						$sTxt = '(' . substr($sTxt, 1) . ')';
+						if($sTxt == '()') $sTxt = '(0)';
 					} else {
 						$sTxt = '\'' . $this->escape($sValue) . '\'';
 					}
@@ -258,7 +254,7 @@ private function securityScan($string) {
 
 	private function _query($sQuery = '') {
 		global $app;
-		
+
 		$aArgs = func_get_args();
 
 		if ($sQuery == '') {
@@ -354,7 +350,7 @@ public function query($sQuery = '') {
 	 * @return array result row or NULL if none found
 	 */
 	public function queryOneRecord($sQuery = '') {
-		
+
 		$aArgs = func_get_args();
 		if(!empty($aArgs)) {
 			$sQuery = array_shift($aArgs);
@@ -363,7 +359,7 @@ public function queryOneRecord($sQuery = '') {
 		}
 		array_unshift($aArgs, $sQuery);
 		}
-  
+
 		$oResult = call_user_func_array([&$this, 'query'], $aArgs);
 		if(!$oResult) return null;
 
@@ -750,7 +746,7 @@ public function datalogInsert($tablename, $insert_data, $index_field) {
 			foreach($insert_data as $key => $val) {
 				$key_str .= '??,';
 				$params[] = $key;
-				
+
 				$val_str .= '?,';
 				$v_params[] = $val;
 			}
@@ -764,7 +760,7 @@ public function datalogInsert($tablename, $insert_data, $index_field) {
 			$this->query("INSERT INTO ?? $insert_data_str", $tablename);
 			$app->log("deprecated use of passing values to datalogInsert() - table " . $tablename, 1);
 		}
-		
+
 		$old_rec = array();
 		$index_value = $this->insertID();
 		if(!$index_value && isset($insert_data[$index_field])) {
@@ -1112,7 +1108,7 @@ public function mapType($metaType, $typeValue) {
 	 * @access public
 	 * @return string 'mariadb' or string 'mysql'
 	 */
-	
+
 	public function getDatabaseType() {
 		$tmp = $this->queryOneRecord('SELECT VERSION() as version');
 		if(stristr($tmp['version'],'mariadb')) {
@@ -1140,7 +1136,7 @@ public function getDatabaseVersion($major_version_only = false) {
 			return $version[0];
 		}
 	}
-	
+
 	/**
 	 * Get a mysql password hash
 	 *
@@ -1150,9 +1146,9 @@ public function getDatabaseVersion($major_version_only = false) {
 	 */
 
 	public function getPasswordHash($password) {
-		
+
 		$password_type = 'password';
-		
+
 		/* Disabled until caching_sha2_password is implemented
 		if($this->getDatabaseType() == 'mysql' && $this->getDatabaseVersion(true) >= 8) {
 			// we are in MySQL 8 mode
@@ -1162,16 +1158,16 @@ public function getPasswordHash($password) {
 			}
 		}
 		*/
-		
+
 		if($password_type == 'caching_sha2_password') {
 			/*
-				caching_sha2_password hashing needs to be implemented, have not 
+				caching_sha2_password hashing needs to be implemented, have not
 				found valid PHP implementation for the new password hash type.
 			*/
 		} else {
 			$password_hash = '*'.strtoupper(sha1(sha1($password, true)));
 		}
-		
+
 		return $password_hash;
 	}
 

interface/web/login/password_reset.php

@@ -47,7 +47,7 @@
 $app->tpl->setVar($wb);
 $continue = true;
 
-if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') {
+if(isset($_POST['username']) && is_string($_POST['username']) && $_POST['username'] != '' && isset($_POST['email']) && is_string($_POST['email']) && $_POST['email'] != '' && $_POST['username'] != 'admin') {
 	if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) {
 		$app->tpl->setVar("error", $wb['user_regex_error']);
 		$continue = false;
@@ -60,11 +60,13 @@
 	$username = $_POST['username'];
 	$email = $_POST['email'];
 
-	$client = $app->db->queryOneRecord("SELECT client.*, sys_user.lost_password_function, sys_user.lost_password_hash, IF(sys_user.lost_password_reqtime IS NOT NULL AND DATE_SUB(NOW(), INTERVAL 15 MINUTE) < sys_user.lost_password_reqtime, 1, 0) as `lost_password_wait` FROM client,sys_user WHERE client.username = ? AND client.email = ? AND client.client_id = sys_user.client_id", $username, $email);
+	if($continue) {
+		$client = $app->db->queryOneRecord("SELECT client.*, sys_user.lost_password_function, sys_user.lost_password_hash, IF(sys_user.lost_password_reqtime IS NOT NULL AND DATE_SUB(NOW(), INTERVAL 15 MINUTE) < sys_user.lost_password_reqtime, 1, 0) as `lost_password_wait` FROM client,sys_user WHERE client.username = ? AND client.email = ? AND client.client_id = sys_user.client_id", $username, $email);
+	}
 
-	if($client['lost_password_function'] == 0) {
+	if($client && $client['lost_password_function'] == 0) {
 		$app->tpl->setVar("error", $wb['lost_password_function_disabled_txt']);
-	} elseif($client['lost_password_wait'] == 1) {
+	} elseif($client && $client['lost_password_wait'] == 1) {
 		$app->tpl->setVar("error", $wb['lost_password_function_wait_txt']);
 	} elseif ($continue) {
 		if($client['client_id'] > 0) {
@@ -111,7 +113,7 @@
 		$app->tpl->setVar("error", $wb['user_regex_error']);
 		$continue = false;
 	}
-	
+
 	$username = $_GET['username'];
 	$hash = $_GET['hash'];
 
@@ -127,7 +129,7 @@
 		if($client['client_id'] > 0) {
 			$server_config_array = $app->getconf->get_global_config();
 			$min_password_length = $app->auth->get_min_password_length();
-			
+
 			$new_password = $app->auth->get_random_password($min_password_length, true);
 			$new_password_encrypted = $app->auth->crypt_password($new_password);
 

server/lib/classes/cron.d/300-quota_notify.inc.php

@@ -250,7 +250,7 @@ public function onRunJob() {
 
 						//* Send quota notifications
 						if(($web_config['overquota_notify_admin'] == 'y' || $web_config['overquota_notify_client'] == 'y') && $send_notification == true) {
-							$app->dbmaster->datalogUpdate('web_domain', array("last_quota_notification" => array("SQL" => "CURDATE()")), 'domain_id', $rec['domain_id']);
+							$app->dbmaster->datalogUpdate('web_domain', array("last_quota_notification" => date('Y-m-d')), 'domain_id', $rec['domain_id']);
 
 							$placeholders = array('{domain}' => $rec['domain'],
 								'{admin_mail}' => ($global_config['admin_mail'] != ''? $global_config['admin_mail'] : 'root'),
@@ -379,7 +379,7 @@ public function onRunJob() {
 						elseif($mail_config['overquota_notify_freq'] > 0 && $rec['notified_before'] >= $mail_config['overquota_notify_freq']) $send_notification = true;
 
 						if(($mail_config['overquota_notify_admin'] == 'y' || $mail_config['overquota_notify_client'] == 'y') && $send_notification == true) {
-							$app->dbmaster->datalogUpdate('mail_user', array("last_quota_notification" => array("SQL" => "CURDATE()")), 'mailuser_id', $rec['mailuser_id']);
+							$app->dbmaster->datalogUpdate('mail_user', array("last_quota_notification" => date('Y-m-d')), 'mailuser_id', $rec['mailuser_id']);
 
 							$placeholders = array('{email}' => $rec['email'],
 								'{admin_mail}' => ($global_config['admin_mail'] != ''? $global_config['admin_mail'] : 'root'),
@@ -466,7 +466,7 @@ public function onRunJob() {
 
 									//* Send quota notifications
 									if(($web_config['overquota_db_notify_admin'] == 'y' || $web_config['overquota_db_notify_client'] == 'y') && $send_notification == true) {
-										$app->dbmaster->datalogUpdate('web_database', array("last_quota_notification" => array("SQL" => "CURDATE()")), 'database_id', $rec['database_id']);
+										$app->dbmaster->datalogUpdate('web_database', array("last_quota_notification" => date('Y-m-d')), 'database_id', $rec['database_id']);
 										$placeholders = array(
 											'{database_name}' => $rec['database_name'],
 											'{admin_mail}' => ($global_config['admin_mail'] != ''? $global_config['admin_mail'] : 'root'),

server/lib/classes/db_mysql.inc.php

@@ -171,14 +171,10 @@ public function _build_query_string($sQuery = '') {
 					} elseif(is_null($sValue) || (is_string($sValue) && (strcmp($sValue, '#NULL#') == 0))) {
 						$sTxt = 'NULL';
 					} elseif(is_array($sValue)) {
-						if(isset($sValue['SQL'])) {
-							$sTxt = $sValue['SQL'];
-						} else {
-							$sTxt = '';
-							foreach($sValue as $sVal) $sTxt .= ',\'' . $this->escape($sVal) . '\'';
-							$sTxt = '(' . substr($sTxt, 1) . ')';
-							if($sTxt == '()') $sTxt = '(0)';
-						}
+						$sTxt = '';
+						foreach($sValue as $sVal) $sTxt .= ',\'' . $this->escape($sVal) . '\'';
+						$sTxt = '(' . substr($sTxt, 1) . ')';
+						if($sTxt == '()') $sTxt = '(0)';
 					} else {
 						$sTxt = '\'' . $this->escape($sValue) . '\'';
 					}
@@ -258,7 +254,7 @@ private function securityScan($string) {
 
 	private function _query($sQuery = '') {
 		global $app;
-		
+
 		$aArgs = func_get_args();
 
 		if ($sQuery == '') {
@@ -354,7 +350,7 @@ public function query($sQuery = '') {
 	 * @return array result row or NULL if none found
 	 */
 	public function queryOneRecord($sQuery = '') {
-		
+
 		$aArgs = func_get_args();
 		if(!empty($aArgs)) {
 			$sQuery = array_shift($aArgs);
@@ -363,7 +359,7 @@ public function queryOneRecord($sQuery = '') {
 		}
 		array_unshift($aArgs, $sQuery);
 		}
-  
+
 		$oResult = call_user_func_array([&$this, 'query'], $aArgs);
 		if(!$oResult) return null;
 
@@ -750,7 +746,7 @@ public function datalogInsert($tablename, $insert_data, $index_field) {
 			foreach($insert_data as $key => $val) {
 				$key_str .= '??,';
 				$params[] = $key;
-				
+
 				$val_str .= '?,';
 				$v_params[] = $val;
 			}
@@ -764,7 +760,7 @@ public function datalogInsert($tablename, $insert_data, $index_field) {
 			$this->query("INSERT INTO ?? $insert_data_str", $tablename);
 			$app->log("deprecated use of passing values to datalogInsert() - table " . $tablename, 1);
 		}
-		
+
 		$old_rec = array();
 		$index_value = $this->insertID();
 		if(!$index_value && isset($insert_data[$index_field])) {
@@ -1140,19 +1136,19 @@ public function getDatabaseVersion($major_version_only = false) {
 			return $version[0];
 		}
 	}
-	
+
 	/**
 	 * Get a mysql password hash
 	 *
 	 * @access public
 	 * @param string   cleartext password
 	 * @return string  Password hash
 	 */
-	
+
 	public function getPasswordHash($password) {
-		
+
 		$password_type = 'password';
-		
+
 		/* Disabled until caching_sha2_password is implemented
 		if($this->getDatabaseType() == 'mysql' && $this->getDatabaseVersion(true) >= 8) {
 			// we are in MySQL 8 mode
@@ -1162,16 +1158,16 @@ public function getPasswordHash($password) {
 			}
 		}
 		*/
-		
+
 		if($password_type == 'caching_sha2_password') {
 			/*
-				caching_sha2_password hashing needs to be implemented, have not 
+				caching_sha2_password hashing needs to be implemented, have not
 				found valid PHP implementation for the new password hash type.
 			*/
 		} else {
 			$password_hash = '*'.strtoupper(sha1(sha1($password, true)));
 		}
-		
+
 		return $password_hash;
 	}