Fix possible information leak - add more strict sql error check on us…

…er creation (#6125)
roundcube · Jan 11, 2018 · 0f06f58 · 0f06f58
1 parent 2eeb2c7
commit 0f06f58
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail
 ===========================
 
 - Fix bug where contacts search could skip some records (#6130)
+- Fix possible information leak - add more strict sql error check on user creation (#6125)
 
 RELEASE 1.3.4
 -------------

diff --git a/program/lib/Roundcube/rcube_user.php b/program/lib/Roundcube/rcube_user.php
@@ -391,20 +391,22 @@ function insert_identity($data)
 
         unset($data['user_id']);
 
-        $insert_cols = $insert_values = array();
+        $insert_cols   = array();
+        $insert_values = array();
+
         foreach ((array)$data as $col => $value) {
             $insert_cols[]   = $this->db->quote_identifier($col);
             $insert_values[] = $value;
         }
+
         $insert_cols[]   = $this->db->quote_identifier('user_id');
         $insert_values[] = $this->ID;
 
         $sql = "INSERT INTO ".$this->db->table_name('identities', true).
             " (`changed`, ".join(', ', $insert_cols).")".
             " VALUES (".$this->db->now().", ".join(', ', array_pad(array(), count($insert_values), '?')).")";
 
-        call_user_func_array(array($this->db, 'query'),
-            array_merge(array($sql), $insert_values));
+        $insert = $this->db->query($sql, $insert_values);
 
         // clear the cache
         $this->identities = array();
@@ -611,15 +613,15 @@ static function create($user, $host)
             return false;
         }
 
-        $dbh->query(
+        $insert = $dbh->query(
             "INSERT INTO ".$dbh->table_name('users', true).
             " (`created`, `last_login`, `username`, `mail_host`, `language`)".
             " VALUES (".$dbh->now().", ".$dbh->now().", ?, ?, ?)",
             $data['user'],
             $data['host'],
             $data['language']);
 
-        if ($user_id = $dbh->insert_id('users')) {
+        if ($dbh->affected_rows($insert) && ($user_id = $dbh->insert_id('users'))) {
             // create rcube_user instance to make plugin hooks work
             $user_instance = new rcube_user($user_id, array(
                 'user_id'   => $user_id,
@@ -836,9 +838,8 @@ function insert_search($data)
             ." (".join(', ', $insert_cols).")"
             ." VALUES (".join(', ', array_pad(array(), count($insert_values), '?')).")";
 
-        call_user_func_array(array($this->db, 'query'),
-            array_merge(array($sql), $insert_values));
+        $insert = $this->db->query($sql, $insert_values);
 
-        return $this->db->insert_id('searches');
+        return $this->db->affected_rows($insert) ? $this->db->insert_id('searches') : false;
     }
 }