lindeas
/
jilo-web
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 7 Wiki Activity

Validates table names when purging

main
Yasen Pramatarov 2026-04-11 21:41:54 +03:00
parent 665d5bded9
commit e2284695fc
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/core/PluginManager.php
View File

@ -332,6 +332,12 @@ class PluginManager
$foreignKeyChecksDisabled = true;
foreach ($tables as $table) {
// Defensive validation: only allow plain SQL identifiers for drop targets.
if (!preg_match('/^[a-zA-Z0-9_]+$/', $table)) {
app_log('warning', 'PluginManager::purge: Skipped unsafe table identifier "' . (string)$table . '" for plugin ' . $plugin, ['scope' => 'plugin']);
continue;
}
$pdo->exec("DROP TABLE IF EXISTS `$table`");
app_log('info', 'PluginManager::purge: Dropped table ' . $table . ' for plugin ' . $plugin, ['scope' => 'plugin']);
}