From 933292553d98d9ab746da989fd18f2e0c61e2842 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Lucas?= Date: Wed, 14 Oct 2015 17:46:59 +0200 Subject: [PATCH] Add a check for a altered database id in the query. Fixes the problem reported in the issue but there may be a lot more to do. fix #216 --- base.php | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/base.php b/base.php index 0816fce..8d9aa06 100644 --- a/base.php +++ b/base.php @@ -1264,6 +1264,9 @@ abstract class Base global $config; if (self::isMultipleDatabaseEnabled ()) { if (is_null ($database)) $database = GetUrlParam (DB, 0); + if (!is_null($database) && !preg_match('/^\d+$/', $database)) { + return self::error ($database); + } $array = array_keys ($config['calibre_directory']); return $array[$database]; } @@ -1274,6 +1277,9 @@ abstract class Base global $config; if (self::isMultipleDatabaseEnabled ()) { if (is_null ($database)) $database = GetUrlParam (DB, 0); + if (!is_null($database) && !preg_match('/^\d+$/', $database)) { + return self::error ($database); + } $array = array_values ($config['calibre_directory']); return $array[$database]; } @@ -1285,11 +1291,11 @@ abstract class Base return self::getDbDirectory ($database) .'metadata.db'; } - private static function error () { + private static function error ($database) { if (php_sapi_name() != "cli") { header("location: checkconfig.php?err=1"); } - throw new Exception('Database not found.'); + throw new Exception("Database <{$database}> not found."); } public static function getDb ($database = NULL) { @@ -1301,10 +1307,10 @@ abstract class Base self::$db->sqliteCreateFunction ('normAndUp', 'normAndUp', 1); } } else { - self::error (); + self::error ($database); } } catch (Exception $e) { - self::error (); + self::error ($database); } } return self::$db;