[imp] Bug in IMP 2.2.6: Escaped backslash in Preferences/signature
Rich Lafferty
rich@horde.org
Fri, 3 Aug 2001 21:02:08 -0400
On Fri, Aug 03, 2001 at 06:43:56PM +0200, Fritz Zaucker (zaucker@ee.ethz.ch) wrote:
> This behaviour can be verified on the IMP demo site at
> https://demo.horde.org/stable/horde/imp/
Aha! The demo's using MySQL, and I'm using Postgres, which explains
why I couldn't reproduce it. So...
> If a backslash is used in Preferences/Signature the backslash is
> "escaped" with a second backslash upon saving the Preferences.
>
> This is done by the call to addslashes() in the file
> horde/imp/prefs.php3 in line 69:
This part's fine; the problem is that it's done /again/ in
imp_set_signature in horde/imp/lib/db.mysql (and also for a handful of
other functions in there). I don't use MySQL at all, though; I'd
appreciate it if you (Fritz) or another MySQL user could test it for
me. (The patch is appended below my .signature.)
> If addslashes() is removed from that line, no second backslash is added.
>
> The question is if this is save to do there?
While I realize this isn't what you meant when you asked, we have to
change db.mysql instead of prefs.php3 because all of the other
database library files count on imp_set_* being handed sanitized data.
(Oh, and be sure to put magic_quotes_sybase back to 'off' if you
turned it on.)
-Rich
--
Rich Lafferty --------------+-----------------------------------------------
Montreal, Quebec, Canada | Save the Pacific Northwest Tree Octopus!
http://www.lafferty.ca/ | http://zapatopi.net/treeoctopus.html
rich@lafferty.ca -----------+-----------------------------------------------
--- horde/imp/lib/db.mysql.old Fri Aug 3 20:59:21 2001
+++ horde/imp/lib/db.mysql Fri Aug 3 20:59:46 2001
@@ -191,7 +191,6 @@
function imp_set_from ($from, $user, $server) {
global $default;
- $from = addslashes($from);
/* post: sets the signature to $signature for the database key $user@$server
returns true on success and false on failure
@@ -214,7 +213,6 @@
function imp_set_fullname ($fullname, $user, $server) {
global $default;
- $fullname = addslashes($fullname);
/* post: sets the signature to $signature for the database key $user@$server
returns true on success and false on failure
@@ -237,7 +235,6 @@
function imp_set_lang ($lang, $user, $server) {
global $default;
- $lang = addslashes($lang);
/* post: sets the language to $lang for the database key $user@$server
returns true on success and false on failure
@@ -260,7 +257,6 @@
function imp_set_signature ($signature, $user, $server) {
global $default;
- $signature = addslashes($signature);
/* post: sets the signature to $signature for the database key $user@$server
returns true on success and false on failure
@@ -283,10 +279,6 @@
function imp_update_address ($old_address, $address, $nickname, $fullname, $user, $server) {
global $default;
- $old_address = addslashes($old_address);
- $address = addslashes($address);
- $nickname = addslashes($nickname);
- $fullname = addslashes($fullname);
/* post: changes the entry for $old_address to $address, $nickname, $fullname.
returns true on success and false on failure