Fix possible information leak - add more strict sql error check on user creation (#6125)

6 years ago · 0f06f58e52
parent 2eeb2c75df
commit 0f06f58e52
2 changed files with 10 additions and 8 deletions
--- a/1
+++ b/1
@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail
 ===========================

 - Fix bug where contacts search could skip some records (#6130)
+- Fix possible information leak - add more strict sql error check on user creation (#6125)

 RELEASE 1.3.4
 -------------
--- a/program/lib/Roundcube/rcube_user.php
+++ b/program/lib/Roundcube/rcube_user.php
@ -391,11 +391,14 @@ class rcube_user

        unset($data['user_id']);

-        $insert_cols = $insert_values = array();
+        $insert_cols   = array();
+        $insert_values = array();
+
        foreach ((array)$data as $col => $value) {
            $insert_cols[]   = $this->db->quote_identifier($col);
            $insert_values[] = $value;
        }
+
        $insert_cols[]   = $this->db->quote_identifier('user_id');
        $insert_values[] = $this->ID;

@ -403,8 +406,7 @@ class rcube_user
            " (`changed`, ".join(', ', $insert_cols).")".
            " VALUES (".$this->db->now().", ".join(', ', array_pad(array(), count($insert_values), '?')).")";

-        call_user_func_array(array($this->db, 'query'),
-            array_merge(array($sql), $insert_values));
+        $insert = $this->db->query($sql, $insert_values);

        // clear the cache
        $this->identities = array();
@ -611,7 +613,7 @@ class rcube_user
            return false;
        }

-        $dbh->query(
+        $insert = $dbh->query(
            "INSERT INTO ".$dbh->table_name('users', true).
            " (`created`, `last_login`, `username`, `mail_host`, `language`)".
            " VALUES (".$dbh->now().", ".$dbh->now().", ?, ?, ?)",
@ -619,7 +621,7 @@ class rcube_user
            $data['host'],
            $data['language']);

-        if ($user_id = $dbh->insert_id('users')) {
+        if ($dbh->affected_rows($insert) && ($user_id = $dbh->insert_id('users'))) {
            // create rcube_user instance to make plugin hooks work
            $user_instance = new rcube_user($user_id, array(
                'user_id'   => $user_id,
@ -836,9 +838,8 @@ class rcube_user
            ." (".join(', ', $insert_cols).")"
            ." VALUES (".join(', ', array_pad(array(), count($insert_values), '?')).")";

-        call_user_func_array(array($this->db, 'query'),
-            array_merge(array($sql), $insert_values));
+        $insert = $this->db->query($sql, $insert_values);

-        return $this->db->insert_id('searches');
+        return $this->db->affected_rows($insert) ? $this->db->insert_id('searches') : false;
    }
 }