SECURITY: quote booleans as string (not integer) in DatabaseMysqlBase

author Gergő Tisza <gtisza@wikimedia.org>

Thu, 6 Oct 2016 17:39:08 +0000 (17:39 +0000)

committer Brad Jorsch <bjorsch@wikimedia.org>

Tue, 11 Oct 2016 15:16:50 +0000 (11:16 -0400)
author Gergő Tisza <gtisza@wikimedia.org>
Thu, 6 Oct 2016 17:39:08 +0000 (17:39 +0000)
committer Brad Jorsch <bjorsch@wikimedia.org>
Tue, 11 Oct 2016 15:16:50 +0000 (11:16 -0400)
diff --git a/includes/libs/rdbms/database/DatabaseMysqlBase.php b/includes/libs/rdbms/database/DatabaseMysqlBase.php

index d654429..b1c18b6 100644 (file)
--- a/includes/libs/rdbms/database/DatabaseMysqlBase.php
+++ b/includes/libs/rdbms/database/DatabaseMysqlBase.php
@@ -608,6 +608,16 @@ abstract class DatabaseMysqlBase extends Database {
          */
         abstract protected function mysqlRealEscapeString( $s );
  
+       public function addQuotes( $s ) {
+               if ( is_bool( $s ) ) {
+                       // Parent would transform to int, which does not play nice with MySQL type juggling.
+                       // When searching for an int in a string column, the strings are cast to int, which
+                       // means false would match any string not starting with a number.
+                       $s = (string)(int)$s;
+               }
+               return parent::addQuotes( $s );
+       }
+
         /**
          * MySQL uses `backticks` for identifier quoting instead of the sql standard "double quotes".
          *
author	Gergő Tisza <gtisza@wikimedia.org>
	Thu, 6 Oct 2016 17:39:08 +0000 (17:39 +0000)
committer	Brad Jorsch <bjorsch@wikimedia.org>
	Tue, 11 Oct 2016 15:16:50 +0000 (11:16 -0400)