Merge pull request zendframework#670 from ezimuel/fix/655

Fix for 655 issue - ZF2015-08 breaks binary data

Author: froschdesign

library/Zend/Db/Adapter/Pdo/Abstract.php

@@ -292,8 +292,6 @@ protected function _quote($value)
         if (is_int($value) || is_float($value)) {
             return $value;
         }
-        // Fix for null-byte injection
-        $value = addcslashes($value, "\000\032");
         $this->_connect();
         return $this->_connection->quote($value);
     }

library/Zend/Db/Adapter/Pdo/Mssql.php

@@ -420,4 +420,19 @@ public function getServerVersion()
             return null;
         }
     }
+
+    /**
+     * Quote a raw string.
+     *
+     * @param string $value     Raw string
+     * @return string           Quoted string
+     */
+    protected function _quote($value)
+    {
+        if (!is_int($value) && !is_float($value)) {
+            // Fix for null-byte injection
+            $value = addcslashes($value, "\000\032");
+        }
+        return parent::_quote($value);
+    }
 }

library/Zend/Db/Adapter/Pdo/Sqlite.php

@@ -294,4 +294,18 @@ public function limit($sql, $count, $offset = 0)
         return $sql;
     }
 
+    /**
+     * Quote a raw string.
+     *
+     * @param string $value     Raw string
+     * @return string           Quoted string
+     */
+    protected function _quote($value)
+    {
+        if (!is_int($value) && !is_float($value)) {
+            // Fix for null-byte injection
+            $value = addcslashes($value, "\000\032");
+        }
+        return parent::_quote($value);
+    }
 }

tests/Zend/Db/Adapter/Pdo/MssqlTest.php

@@ -361,6 +361,17 @@ public function testAdapterDescribeTableWithSchemaName()
         $this->assertArrayHasKey('product_name', $productsTableInfo);
     }
 
+    /**
+     * test that quote() escapes null byte character
+     * in a string.
+     */
+    public function testAdapterQuoteNullByteCharacter()
+    {
+        $string = "1\0";
+        $value  = $this->_db->quote($string);
+        $this->assertEquals("'1\\000'", $value);
+    }
+
     public function getDriver()
     {
         return 'Pdo_Mssql';

tests/Zend/Db/Adapter/Pdo/MysqlTest.php

@@ -315,7 +315,17 @@ public function testAdapterIncludesCharsetInsideGeneratedPdoDsn()
         $adapter = new ZendTest_Db_Adapter_Pdo_Mysql(array('dbname' => 'foo', 'charset' => 'XYZ', 'username' => 'bar', 'password' => 'foo'));
         $this->assertEquals('mysql:dbname=foo;charset=XYZ', $adapter->_dsn());
     }
-    
+
+    /**
+     * Test that quote() does not alter binary data
+     */
+    public function testBinaryQuoteWithNulls()
+    {
+        $binary = pack("xxx");
+        $value  = $this->_db->quote($binary);
+        $this->assertEquals('\'\0\0\0\'', $value);
+    }
+
     public function getDriver()
     {
         return 'Pdo_Mysql';
@@ -330,4 +340,3 @@ public function _dsn()
         return parent::_dsn();
     }
 }
-

tests/Zend/Db/Adapter/Pdo/SqliteTest.php

@@ -247,4 +247,15 @@ protected function _testAdapterAlternateStatement($stmtClass)
         $this->assertTrue($stmt instanceof $stmtClass,
             'Expecting object of type ' . $stmtClass . ', got ' . get_class($stmt));
     }
+
+    /**
+     * test that quote() escapes null byte character
+     * in a string.
+     */
+    public function testAdapterQuoteNullByteCharacter()
+    {
+        $string = "1\0";
+        $value  = $this->_db->quote($string);
+        $this->assertEquals("'1\\000'", $value);
+    }
 }