#! /bin/sh /usr/share/dpatch/dpatch-run ## upgrade-password-portable by ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Rewrite the upgrade routine that removes saved password to use ## DP: a more portable method that will work on databases other than ## DP: mysql @DPATCH@ --- phpwiki-1.3.12p3.orig/lib/upgrade.php +++ phpwiki-1.3.12p3/lib/upgrade.php @@ -611,16 +611,22 @@ } if ((ACCESS_LOG_SQL & 2)) { echo _("check for ACCESS_LOG_SQL passwords in POST requests")," ..."; - // Don't display passwords in POST requests (up to 2005-02-04 12:03:20) - $result = $dbh->genericSqlQuery( - "UPDATE ".$prefix."accesslog" - .' SET request_args=CONCAT(left(request_args, LOCATE("s:6:\"passwd\"",request_args)+12),"...")' - .' WHERE LOCATE("s:6:\"passwd\"", request_args)' - .' AND NOT(LOCATE("s:6:\"passwd\";s:15:\"\"", request_args))' - .' AND request_method="POST"'); - if ((DATABASE_TYPE == 'SQL' and $backend->AffectedRows()) - or (DATABASE_TYPE == 'ADODB' and $backend->Affected_Rows()) - or (DATABASE_TYPE == 'PDO' and $result)) + $res = $dbh->genericSqlIter("SELECT time_stamp, remote_host, " . + "request_args FROM ${prefix}accesslog WHERE request_args LIKE " . + "'%s:6:\"passwd\"%' AND request_args NOT LIKE '%s:6:\"passwd\";" . + "s:15:\"\"%'"); + $count=0; + while ($row = $res->next()) { + $args = preg_replace("/(s:6:\"passwd\";s:15:\").*(\")/", + "$1$2", $row["request_args"]); + $ts = $row["time_stamp"]; + $rh = $row["remote_host"]; + $dbh->genericSqlQuery("UPDATE ${prefix}accesslog SET " . + "request_args='$args' WHERE time_stamp=$ts AND " . + "remote_host='$rh'"); + $count++; + } + if ($count > 0) echo "",_("FIXED"),"", "
\n"; else echo _("OK"),"
\n";