bug 1273: replace backtick operators with shell_exec
authorFelix Dörre <felix@dogcraft.de>
Sun, 15 Jun 2014 08:39:04 +0000 (10:39 +0200)
committerFelix Dörre <felix@dogcraft.de>
Sun, 15 Jun 2014 08:59:31 +0000 (10:59 +0200)
commitb6ee5404b9dcc3df6ace5f640f522118d18b818d
treeeae5a40733cde853c993588bee9a1420bbbc9b3d
parent6d0f414854b2c1aa1da9ec49889ac9bb3b69b966
bug 1273: replace backtick operators with shell_exec

+ fix 1 missing escapeshellarg
Commands used to locate:
1.
find includes -type f -name '*.php' -exec cat {} \; \
| tr '\n' '?' | sed 's/\(\$query .\?= \|\
mysql_query(\|query_init (\)"\([^"]\|".\(\(intval\|mysql_real_escape_string\)\
(\$[^\$)]\+)\|\$_SESSION\(\['_config'\]\['user'\]\['Q[1-5]'\]\
\|['_config']['disablelogin']\)\)[ ?]*."\)*"/mysql-substitute/g'\
| tr '?' '\n' |  grep --color=always "\`"|less -r

and reviewing the queries by hand.

This command replaces out strings obviously looking
like sql_queries and then outputting al remaining backticks:

starting with "$query = ,mysql_query, ..."
and are only interrupted by "safe" calls:
- mysql_real_escape_string
- intval
- pre_escaped session variables

(This command may also be used for locating
 bad escaped sql_queries)

2. grep -r "\`\(grep\|/\|echo\|dig\|openssl\|gpg\|rm\|../\)" www includes pages \
| grep -v '\(from\|update\|into\) `gpg'
includes/account.php
includes/general.php
pages/account/15.php
pages/account/19.php
pages/account/23.php
pages/account/6.php
www/api/ccsr.php
www/gpg.php