From cbaa8b4304c7f725af4d90be3233c21aa0046b37 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 29 Jun 2022 16:40:19 +0200 Subject: [PATCH] FIX False alert of WAF when there is "set" into some URL action=update. --- htdocs/main.inc.php | 2 +- test/phpunit/SecurityTest.php | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 1d09b9f9887..b97312859b9 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -130,7 +130,7 @@ function testSqlAndScriptInject($val, $type) $inj += preg_match('/user\s*\(/i', $val); // avoid to use function user() or mysql_user() that return current database login $inj += preg_match('/information_schema/i', $val); // avoid to use request that read information_schema database $inj += preg_match('/assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL1b. Should find an attack on GET param and did not.'); + $test = '... update ... set ... ='; + $result=testSqlAndScriptInject($test, 1); + $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2a. Should find an attack on GET param and did not.'); + + $test = 'action=update& ... set ... ='; + $result=testSqlAndScriptInject($test, 1); + $this->assertEquals(0, $result, 'Error on testSqlAndScriptInject for SQL2b. Should not find an attack on GET param and did.'); + $test = '... union ... selection '; $result=testSqlAndScriptInject($test, 1); - $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2. Should find an attack on GET param and did not.'); + $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2c. Should find an attack on GET param and did not.'); $test = 'javascript:'; $result=testSqlAndScriptInject($test, 0);