Patch for CVE-2007-5934 MDB2 Data injection and disclosure from http://marc.info/?l=pear-cvs&m=117823082829114&q=raw --- pear/MDB2/Driver/mysqli.php.lob 2007-11-14 08:01:40.000000000 +0100 +++ pear/MDB2/Driver/mysqli.php 2007-11-14 08:02:12.000000000 +0100 @@ -43,7 +43,7 @@ // | Author: Lukas Smith <smith@pooteeweet.org> | // +----------------------------------------------------------------------+ // -// $Id: mysqli.php,v 1.162 2007/05/02 22:00:08 quipo Exp $ +// $Id: mysqli.php,v 1.163 2007/05/03 22:20:20 davidc Exp $ // /** @@ -1476,7 +1476,7 @@ class MDB2_Statement_mysqli extends MDB2 $value = $this->values[$parameter]; $type = array_key_exists($parameter, $this->types) ? $this->types[$parameter] : null; if (!is_object($this->statement)) { - if (is_resource($value) || $type == 'clob' || $type == 'blob') { + if (is_resource($value) || $type == 'clob' || $type == 'blob' && $this->options['lob_allow_url_include']) { if (!is_resource($value) && preg_match('/^(\w+:\/\/)(.*)$/', $value, $match)) { if ($match[1] == 'file://') { $value = $match[2]; @@ -1628,4 +1628,4 @@ class MDB2_Statement_mysqli extends MDB2 return $result; } } -?> \ No newline at end of file +?>