Security: Plugin: VChamilo: Add clearDatabaseName method to sanitize database names and update usages

AngelFQC · AngelFQC · commit afdbd4bb9a9e · 2025-04-14T16:13:26.000-05:00
diff --git a/main/inc/lib/database.lib.php b/main/inc/lib/database.lib.php
@@ -843,4 +843,9 @@ public static function escapeField($field)
     {
         return self::escape_string(preg_replace("/[^a-zA-Z0-9_.]/", '', $field));
     }
+
+    public static function clearDatabaseName(string $dbName): string
+    {
+        return preg_replace('/[^a-zA-Z0-9_\-]/', '', $dbName);
+    }
 }
diff --git a/main/install/index.php b/main/install/index.php
@@ -767,7 +767,7 @@ function send_contact_information() {
                 $dbPortForm
             );
 
-            $dbNameForm = preg_replace('/[^a-zA-Z0-9_\-]/', '', $dbNameForm);
+            $dbNameForm = Database::clearDatabaseName($dbNameForm);
 
             // Drop and create the database anyways
             $manager->getConnection()->getSchemaManager()->dropAndCreateDatabase($dbNameForm);
diff --git a/plugin/vchamilo/lib/Virtual.php b/plugin/vchamilo/lib/Virtual.php
@@ -921,10 +921,7 @@ public static function getConnectionFromInstance($instance, $getManager = false)
         return false;
     }
 
-    /**
-     * @param $data
-     */
-    public static function addInstance($data)
+    public static function addInstance(stdClass $data)
     {
         if (isset($data->what)) {
             unset($data->what);
@@ -967,7 +964,7 @@ public static function addInstance($data)
             return;
         }
 
-        $databaseName = $data->main_database;
+        $databaseName = Database::clearDatabaseName($data->main_database);
         $data->main_database = '';
         $connection = self::getConnectionFromInstance($data);
         $data->main_database = $databaseName;
@@ -1061,10 +1058,11 @@ public static function addInstance($data)
     }
 
     /**
-     * @param stdClass $data
-     * @param string   $fromVersion
+     * @throws \Doctrine\DBAL\Exception
+     *
+     * @return false|void
      */
-    public static function importInstance($data, $fromVersion)
+    public static function importInstance(stdClass $data, string $fromVersion)
     {
         if (isset($data->what)) {
             unset($data->what);
@@ -1094,7 +1092,7 @@ public static function importInstance($data, $fromVersion)
         unset($data->upload_path);
 
         $newDatabase = clone $data;
-        $newDatabase->main_database = $newDatabase->import_to_main_database;
+        $newDatabase->main_database = Database::clearDatabaseName($newDatabase->import_to_main_database);
         $newDatabase->db_user = $newDatabase->import_to_db_user;
         $newDatabase->db_password = $newDatabase->import_to_db_password;
         $newDatabase->db_host = $newDatabase->import_to_db_host;

Original file line number	Diff line number	Diff line change
`@@ -843,4 +843,9 @@ public static function escapeField($field)`
`843`	`843`	`{`
`844`	`844`	`return self::escape_string(preg_replace("/[^a-zA-Z0-9_.]/", '', $field));`
`845`	`845`	`}`
	`846`	`+`
	`847`	`+ public static function clearDatabaseName(string $dbName): string`
	`848`	`+ {`
	`849`	`+ return preg_replace('/[^a-zA-Z0-9_\-]/', '', $dbName);`
	`850`	`+ }`
`846`	`851`	`}`