1
#! /bin/sh /usr/share/dpatch/dpatch-run
2
## MDL-9288_mnet.dpatch by Kees Cook <kees@ubuntu.com>
4
## All lines beginning with `## DP:' are a description of the patch.
5
## DP: Fix SQL injection bug in mnet (MDL-9288).
6
## DP: Thanks to Dan Poltawski.
9
diff -Nru moodle-1.8.2/auth/mnet/auth.php moodle-1.8.2.dfsg/auth/mnet/auth.php
10
--- moodle-1.8.2/auth/mnet/auth.php 2007-04-29 20:03:57.000000000 -0700
11
+++ moodle-1.8.2.dfsg/auth/mnet/auth.php 2009-02-12 11:09:06.000000000 -0800
15
// get the local record for the remote user
16
- $localuser = get_record('user', 'username', $remoteuser->username, 'mnethostid', $remotehost->id);
17
+ $localuser = get_record('user', 'username', addslashes($remoteuser->username), 'mnethostid', $remotehost->id);
19
// add the remote user to the database if necessary, and if allowed
20
// TODO: refactor into a separate function