Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions lib/private/Setup/PostgreSQL.php
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,10 @@ private function createDBUser(IDBConnection $connection) {
// create the user
$query = $connection->prepare("CREATE USER " . addslashes($this->dbUser) . " CREATEDB PASSWORD '" . addslashes($this->dbPassword) . "'");
$query->execute();
if ($this->databaseExists($connection)) {
$query = $connection->prepare('GRANT CONNECT ON DATABASE ' . addslashes($this->dbName) . ' TO '.addslashes($this->dbUser));

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that this is using ->prepare, shouldn't this be using ? and arguments instead of addslashes?
(https://www.php.net/addslashes -- "The addslashes() is sometimes incorrectly used to try to prevent SQL Injection. Instead, database-specific escaping functions and/or prepared statements should be used.")

I think this is one of the roots of what's being discussed over in docker-library/official-images#6252 (comment) (in PostgreSQL, - needs to be escaped, but addslashes won't do so, for example).

$query->execute();
}
} catch (DatabaseException $e) {
$this->logger->error('Error while trying to create database user');
$this->logger->logException($e);
Expand Down