Control: tags -1 patch Hi Thorsten,
On Fri, Apr 30, 2021 at 11:56 PM Thorsten Glaser <thorsten.gla...@teckids.org> wrote: > considering you took over maintenance and know the code in > question better, it would be _much_ appreciated if you could > also take care of this for buster. Upstream's fix for version 6.x seems suitable for 5.x as well. I've applied it, looked it over, and checked for regressions with upstream's test suite. Seems alright from what I can tell. A patch is attached. Regards, Robin
From 00a499a805d8b2d1811ca16bf4f833d7b8da5eb8 Mon Sep 17 00:00:00 2001 From: Robin Gustafsson <ro...@rgson.se> Date: Sat, 1 May 2021 16:24:09 +0200 Subject: [PATCH] Security fix: SQL injection with Microsoft SQL Server Closes: #987848 --- debian/patches/0001-cast-to-int.patch | 37 +++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 38 insertions(+) create mode 100644 debian/patches/0001-cast-to-int.patch create mode 100644 debian/patches/series diff --git a/debian/patches/0001-cast-to-int.patch b/debian/patches/0001-cast-to-int.patch new file mode 100644 index 0000000000..3ad4e6a50b --- /dev/null +++ b/debian/patches/0001-cast-to-int.patch @@ -0,0 +1,37 @@ +From: Taylor Otwell <taylorotw...@gmail.com> +Date: Wed, 28 Apr 2021 08:18:19 -0500 +Subject: cast to int + +Origin: https://github.com/laravel/framework/commit/09bf1457e9df53e172e6fd5929cbafb539677c7c +--- + Query/Grammars/SqlServerGrammar.php | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Query/Grammars/SqlServerGrammar.php b/Query/Grammars/SqlServerGrammar.php +index ed7f176..0f099c7 100755 +--- a/Query/Grammars/SqlServerGrammar.php ++++ b/Query/Grammars/SqlServerGrammar.php +@@ -60,8 +60,8 @@ class SqlServerGrammar extends Grammar + // If there is a limit on the query, but not an offset, we will add the top + // clause to the query, which serves as a "limit" type clause within the + // SQL Server system similar to the limit keywords available in MySQL. +- if ($query->limit > 0 && $query->offset <= 0) { +- $select .= 'top '.$query->limit.' '; ++ if (is_numeric($query->limit) && $query->limit > 0 && $query->offset <= 0) { ++ $select .= 'top '.((int) $query->limit).' '; + } + + return $select.$this->columnize($columns); +@@ -221,10 +221,10 @@ class SqlServerGrammar extends Grammar + */ + protected function compileRowConstraint($query) + { +- $start = $query->offset + 1; ++ $start = (int) $query->offset + 1; + + if ($query->limit > 0) { +- $finish = $query->offset + $query->limit; ++ $finish = (int) $query->offset + (int) $query->limit; + + return "between {$start} and {$finish}"; + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000000..9bf625b68b --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +0001-cast-to-int.patch -- 2.20.1
