* [FIX] Fixes #636. Improved search string filtering by removing special chars used in regular expressions. Thanks to @LeSuisse for the feedback.

2026-03-04 15:44:07 +01:00 · 2017-06-15 15:47:44 +02:00
parent 7ee9c1004c
commit 65878e0972
4 changed files with 55 additions and 6 deletions
--- a/inc/SP/Account/AccountSearch.class.php
+++ b/inc/SP/Account/AccountSearch.class.php
@@ -33,6 +33,7 @@ use SP\Mgmt\Users\User;
 use SP\Storage\DB;
 use SP\Storage\QueryData;
 use SP\Util\Checks;
+use SP\Util\Filter;

 defined('APP_ROOT') || die();

@@ -188,7 +189,7 @@ class AccountSearch
     */
    public function setTxtSearch($txtSearch)
    {
-        $this->txtSearch = (string)$txtSearch;
+        $this->txtSearch = Filter::safeSearchString($txtSearch);

        return $this;
    }
--- a/inc/SP/DataModel/ItemSearchData.class.php
+++ b/inc/SP/DataModel/ItemSearchData.class.php
@@ -2,8 +2,8 @@
 /**
 * sysPass
 *
- * @author nuxsmin 
- * @link http://syspass.org
+ * @author    nuxsmin
+ * @link      http://syspass.org
 * @copyright 2012-2017, Rubén Domínguez nuxsmin@$syspass.org
 *
 * This file is part of sysPass.
@@ -23,6 +23,7 @@
 */

 namespace SP\DataModel;
+use SP\Util\Filter;


 /**
@@ -65,7 +66,7 @@ class ItemSearchData
     */
    public function setSeachString($seachString)
    {
-        $this->seachString = $seachString;
+        $this->seachString = Filter::safeSearchString($seachString);
    }

    /**
--- a/inc/SP/Util/Filter.class.php
+++ b/inc/SP/Util/Filter.class.php
@@ -0,0 +1,48 @@
+<?php
+/**
+ * sysPass
+ *
+ * @author    nuxsmin
+ * @link      http://syspass.org
+ * @copyright 2012-2017, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ *  along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace SP\Util;
+
+defined('APP_ROOT') || die();
+
+
+/**
+ * Class Filter para el filtrado de datos
+ *
+ * @package SP\Util
+ */
+class Filter
+{
+    /**
+     * Limpiar una cadena de búsqueda de carácteres utilizados en expresiones regulares
+     *
+     * @param $string
+     * @return mixed
+     */
+    public static function safeSearchString($string)
+    {
+        return preg_replace(/** @lang RegExp */
+            '/[\[\]%{}*$]+/', '', (string)$string);
+    }
+}
--- a/inc/SP/Util/Util.class.php
+++ b/inc/SP/Util/Util.class.php
@@ -25,7 +25,6 @@
 namespace SP\Util;

 use Defuse\Crypto\Core;
-use Defuse\Crypto\Crypto;
 use Defuse\Crypto\Encoding;
 use SP\Config\Config;
 use SP\Config\ConfigDB;
@@ -383,7 +382,7 @@ class Util
     */
    public static function getVersion($retBuild = false, $normalized = false)
    {
-        $build = 17061502;
+        $build = 17061503;
        $version = [2, 1, 11];

        if ($normalized === true) {