Merge branch '3.1' into 3.2

thorsten · thorsten · commit eb75f1eaa852 · 2023-07-16T13:12:12.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -38,6 +38,11 @@ This is a log of major user-visible changes in each phpMyFAQ release.
 - updated Japanese translation (Advanced Bear)
 - updated Dutch translation (Bob Coret)
 
+### phpMyFAQ v3.1.16 - 2023-07-16
+
+- fixed multiple security vulnerabilities (Thorsten)
+- fixed minor bugs (Thorsten)
+
 ### phpMyFAQ v3.1.15 - 2023-06-17
 
 - fixed minor bugs (Thorsten)
diff --git a/phpmyfaq/admin/api/user.php b/phpmyfaq/admin/api/user.php
@@ -22,6 +22,7 @@
 use phpMyFAQ\Filter;
 use phpMyFAQ\Helper\MailHelper;
 use phpMyFAQ\Permission;
+use phpMyFAQ\Report;
 use phpMyFAQ\Session\Token;
 use phpMyFAQ\Strings;
 use phpMyFAQ\Translation;
@@ -94,8 +95,8 @@
                 $userObject->status = $user->getStatus();
                 $userObject->isSuperAdmin = $user->isSuperAdmin();
                 $userObject->isVisible = $user->getUserData('is_visible');
-                $userObject->displayName = $user->getUserData('display_name');
-                $userObject->userName = $user->getLogin();
+                $userObject->displayName = Report::sanitize($user->getUserData('display_name'));
+                $userObject->userName = Report::sanitize($user->getLogin());
                 $userObject->email = $user->getUserData('email');
                 $userObject->authSource = $user->getUserAuthSource();
                 $userData[] = $userObject;
diff --git a/phpmyfaq/admin/report.export.php b/phpmyfaq/admin/report.export.php
@@ -119,7 +119,8 @@
 
     $content = '';
     foreach ($text as $row) {
-        $content .= implode(';', $row);
+        $csvRow = array_map(['phpMyFAQ\Report', 'sanitize'], $row);
+        $content .= implode(';', $csvRow);
         $content .= "\r\n";
     }
 
diff --git a/phpmyfaq/src/phpMyFAQ/Link.php b/phpmyfaq/src/phpMyFAQ/Link.php
@@ -262,11 +262,11 @@ public function toHtmlAnchor(): string
         }
 
         if (!empty($this->tooltip)) {
-            $htmlAnchor .= sprintf(' title="%s"', addslashes($this->tooltip));
+            $htmlAnchor .= sprintf(' title="%s"', Strings::htmlentities($this->tooltip));
         }
 
         if (!empty($this->name)) {
-            $htmlAnchor .= sprintf(' name="%s"', $this->name);
+            $htmlAnchor .= sprintf(' name="%s"', Strings::htmlentities($this->name));
         } else {
             if (!empty($this->url)) {
                 $htmlAnchor .= sprintf(' href="%s"', $url);
@@ -280,10 +280,10 @@ public function toHtmlAnchor(): string
         }
         $htmlAnchor .= '>';
         if (('0' == $this->text) || (!empty($this->text))) {
-            $htmlAnchor .= $this->text;
+            $htmlAnchor .= Strings::htmlentities($this->text);
         } else {
             if (!empty($this->name)) {
-                $htmlAnchor .= $this->name;
+                $htmlAnchor .= Strings::htmlentities($this->name);
             } else {
                 $htmlAnchor .= $url;
             }
diff --git a/phpmyfaq/src/phpMyFAQ/Report.php b/phpmyfaq/src/phpMyFAQ/Report.php
@@ -139,4 +139,18 @@ public function convertEncoding(string $outputString = ''): string
         $toBeRemoved = ['=', '+', '-', 'HYPERLINK'];
         return str_replace($toBeRemoved, '', $outputString);
     }
+
+    /**
+     * Sanitizes input to avoid CSV injection.
+     * @param string|int $value
+     * @return string
+     */
+    public static function sanitize($value): string
+    {
+        if (preg_match('/[=\+\-\@\|]/', $value)) {
+            $value = '"' . str_replace('"', '""', $value) . '"';
+        }
+
+        return $value;
+    }
 }
diff --git a/phpmyfaq/src/phpMyFAQ/Search/Database/Mysqli.php b/phpmyfaq/src/phpMyFAQ/Search/Database/Mysqli.php
@@ -48,7 +48,7 @@ public function __construct(Configuration $config)
     public function search(string $searchTerm): mixed
     {
         if (is_numeric($searchTerm) && $this->config->get('search.searchForSolutionId')) {
-            parent::search($searchTerm);
+            return parent::search($searchTerm);
         } else {
             $relevance = $this->config->get('search.enableRelevance');
             $columns = $this->getResultColumns();
diff --git a/tests/phpMyFAQ/ReportTest.php b/tests/phpMyFAQ/ReportTest.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace phpMyFAQ;
+
+use PHPUnit\Framework\TestCase;
+
+class ReportTest extends TestCase
+{
+
+    public function testSanitize(): void
+    {
+        $data = [
+            ['John Doe', 'john.doe@example.com', '12345'],
+            ['Jane Smith', 'jane.smith@example.com', '=SUM(A1:A10)'],
+        ];
+
+        $actual = [];
+
+        $expected = [
+            'John Doe,"john.doe@example.com",12345',
+            'Jane Smith,"jane.smith@example.com","=SUM(A1:A10)"'
+        ];
+
+        foreach ($data as $row) {
+            $csvRow = array_map(['phpMyFAQ\Report', 'sanitize'], $row);
+            $actual[] = implode(',', $csvRow);
+        }
+
+        $this->assertEquals($expected, $actual);
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,8 @@`
`119`	`119`
`120`	`120`	`$content = '';`
`121`	`121`	`foreach ($text as $row) {`
`122`		`- $content .= implode(';', $row);`
	`122`	`+ $csvRow = array_map(['phpMyFAQ\Report', 'sanitize'], $row);`
	`123`	`+ $content .= implode(';', $csvRow);`
`123`	`124`	`$content .= "\r\n";`
`124`	`125`	`}`
`125`	`126`
Original file line number	Diff line number	Diff line change
`@@ -262,11 +262,11 @@ public function toHtmlAnchor(): string`
`262`	`262`	`}`
`263`	`263`
`264`	`264`	`if (!empty($this->tooltip)) {`
`265`		`- $htmlAnchor .= sprintf(' title="%s"', addslashes($this->tooltip));`
	`265`	`+ $htmlAnchor .= sprintf(' title="%s"', Strings::htmlentities($this->tooltip));`
`266`	`266`	`}`
`267`	`267`
`268`	`268`	`if (!empty($this->name)) {`
`269`		`- $htmlAnchor .= sprintf(' name="%s"', $this->name);`
	`269`	`+ $htmlAnchor .= sprintf(' name="%s"', Strings::htmlentities($this->name));`
`270`	`270`	`} else {`
`271`	`271`	`if (!empty($this->url)) {`
`272`	`272`	`$htmlAnchor .= sprintf(' href="%s"', $url);`
`@@ -280,10 +280,10 @@ public function toHtmlAnchor(): string`
`280`	`280`	`}`
`281`	`281`	`$htmlAnchor .= '>';`
`282`	`282`	`if (('0' == $this->text) \|\| (!empty($this->text))) {`
`283`		`- $htmlAnchor .= $this->text;`
	`283`	`+ $htmlAnchor .= Strings::htmlentities($this->text);`
`284`	`284`	`} else {`
`285`	`285`	`if (!empty($this->name)) {`
`286`		`- $htmlAnchor .= $this->name;`
	`286`	`+ $htmlAnchor .= Strings::htmlentities($this->name);`
`287`	`287`	`} else {`
`288`	`288`	`$htmlAnchor .= $url;`
`289`	`289`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ public function __construct(Configuration $config)`
`48`	`48`	`public function search(string $searchTerm): mixed`
`49`	`49`	`{`
`50`	`50`	`if (is_numeric($searchTerm) && $this->config->get('search.searchForSolutionId')) {`
`51`		`- parent::search($searchTerm);`
	`51`	`+ return parent::search($searchTerm);`
`52`	`52`	`} else {`
`53`	`53`	`$relevance = $this->config->get('search.enableRelevance');`
`54`	`54`	`$columns = $this->getResultColumns();`