From 3258978c38bee8cb4b99f249dffac9c8aaea2d80 Mon Sep 17 00:00:00 2001
From: Isaac Bennetch <bennetch@gmail.com>
Date: Wed, 18 Mar 2020 22:16:53 -0400
Subject: [PATCH] More escaping of username and password.

Improves upon 89fbcd7c39e6b3979cdb2f64aa4cd5f4db27eaad

Signed-off-by: Isaac Bennetch <bennetch@gmail.com>
---
 libraries/classes/Server/Privileges.php |  8 ++++----
 libraries/classes/UserPassword.php      | 10 ++++++----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/libraries/classes/Server/Privileges.php b/libraries/classes/Server/Privileges.php
index 256cd8084a..a62d111606 100644
--- a/libraries/classes/Server/Privileges.php
+++ b/libraries/classes/Server/Privileges.php
@@ -1971,8 +1971,8 @@ class Privileges
                     . " `authentication_string` = '" . $hashedPassword
                     . "', `Password` = '', "
                     . " `plugin` = '" . $authentication_plugin . "'"
-                    . " WHERE `User` = '" . $username . "' AND Host = '"
-                    . $hostname . "';";
+                    . " WHERE `User` = '" . $GLOBALS['dbi']->escapeString($username)
+                    . "' AND Host = '" . $GLOBALS['dbi']->escapeString($hostname) . "';";
             } else {
                 // USE 'SET PASSWORD ...' syntax for rest of the versions
                 // Backup the old value, to be reset later
@@ -1982,8 +1982,8 @@ class Privileges
                 $orig_value = $row['@@old_passwords'];
                 $update_plugin_query = "UPDATE `mysql`.`user` SET"
                     . " `plugin` = '" . $authentication_plugin . "'"
-                    . " WHERE `User` = '" . $username . "' AND Host = '"
-                    . $hostname . "';";
+                    . " WHERE `User` = '" . $GLOBALS['dbi']->escapeString($username)
+                    . "' AND Host = '" . $GLOBALS['dbi']->escapeString($hostname) . "';";
 
                 // Update the plugin for the user
                 if (!($GLOBALS['dbi']->tryQuery($update_plugin_query))) {
diff --git a/libraries/classes/UserPassword.php b/libraries/classes/UserPassword.php
index 585463fe56..be7d2e41a5 100644
--- a/libraries/classes/UserPassword.php
+++ b/libraries/classes/UserPassword.php
@@ -114,7 +114,8 @@ class UserPassword
         if ($serverType == 'MySQL'
             && $serverVersion >= 50706
         ) {
-            $sql_query = 'ALTER USER \'' . $username . '\'@\'' . $hostname
+            $sql_query = 'ALTER USER \'' . $GLOBALS['dbi']->escapeString($username)
+                . '\'@\'' . $GLOBALS['dbi']->escapeString($hostname)
                 . '\' IDENTIFIED WITH ' . $orig_auth_plugin . ' BY '
                 . (($password == '') ? '\'\'' : '\'***\'');
         } elseif (($serverType == 'MySQL'
@@ -182,7 +183,8 @@ class UserPassword
         $serverVersion = $GLOBALS['dbi']->getVersion();
 
         if ($serverType == 'MySQL' && $serverVersion >= 50706) {
-            $local_query = 'ALTER USER \'' . $username . '\'@\'' . $hostname . '\''
+            $local_query = 'ALTER USER \'' . $GLOBALS['dbi']->escapeString($username)
+                . '\'@\'' . $GLOBALS['dbi']->escapeString($hostname) . '\''
                 . ' IDENTIFIED with ' . $orig_auth_plugin . ' BY '
                 . (($password == '')
                 ? '\'\''
@@ -208,8 +210,8 @@ class UserPassword
                 . " `authentication_string` = '" . $hashedPassword
                 . "', `Password` = '', "
                 . " `plugin` = '" . $orig_auth_plugin . "'"
-                . " WHERE `User` = '" . $username . "' AND Host = '"
-                . $hostname . "';";
+                . " WHERE `User` = '" . $GLOBALS['dbi']->escapeString($username)
+                . "' AND Host = '" . $GLOBALS['dbi']->escapeString($hostname) . "';";
         } else {
             $local_query = 'SET password = ' . (($password == '')
                 ? '\'\''
-- 
2.11.4.GIT