From 185ef241721489ba179bd11567f57ec9e9d83999 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Tue, 16 Feb 2021 13:42:52 -0800 Subject: [PATCH] (security/core#105) Joomla::checkUserNameEmailExists - Fix mismatched escaping This uses the escaping rule from CRM_Core_DAO to construct a query for JDatabaseDriver. However, they use different connections and (therefore) could require different escaping rules. --- CRM/Utils/System/Joomla.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/CRM/Utils/System/Joomla.php b/CRM/Utils/System/Joomla.php index 7651aeb823..14245c28a8 100644 --- a/CRM/Utils/System/Joomla.php +++ b/CRM/Utils/System/Joomla.php @@ -105,9 +105,8 @@ class CRM_Utils_System_Joomla extends CRM_Utils_System_Base { public function checkUserNameEmailExists(&$params, &$errors, $emailName = 'email') { $config = CRM_Core_Config::singleton(); - $dao = new CRM_Core_DAO(); - $name = $dao->escape(CRM_Utils_Array::value('name', $params)); - $email = $dao->escape(CRM_Utils_Array::value('mail', $params)); + $name = CRM_Utils_Array::value('name', $params); + $email = CRM_Utils_Array::value('mail', $params); //don't allow the special characters and min. username length is two //regex \\ to match a single backslash would become '/\\\\/' $isNotValid = (bool) preg_match('/[\<|\>|\"|\'|\%|\;|\(|\)|\&|\\\\|\/]/im', $name); @@ -123,7 +122,7 @@ class CRM_Utils_System_Joomla extends CRM_Utils_System_Base { $query->from($JUserTable->getTableName()); // LOWER in query below roughly translates to 'hurt my database without deriving any benefit' See CRM-19811. - $query->where('(LOWER(username) = LOWER(\'' . $name . '\')) OR (LOWER(email) = LOWER(\'' . $email . '\'))'); + $query->where('(LOWER(username) = LOWER(' . $db->quote($name) . ')) OR (LOWER(email) = LOWER(' . $db->quote($email) . '))'); $db->setQuery($query, 0, 10); $users = $db->loadAssocList(); -- 2.25.1