From a4972e040048db05d407b3a709330914e35a5788 Mon Sep 17 00:00:00 2001
From: Rom Walton <romw@romwnet.org>
Date: Wed, 5 Dec 2012 17:14:30 -0500
Subject: [PATCH]     - MGR: Fix two potential security issues with browser.cpp
 where the         query to the cookie database could have been abused.  At
 present         neither of the two parameters originate as user input so
 using it         as an attack vector isn't very high.  Prevent the functions
 from         being exploited in the future in case the routines were ever
 used         in a different way.

---
 checkin_notes         | 11 +++++++++++
 clientgui/browser.cpp |  8 ++++----
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/checkin_notes b/checkin_notes
index 4619418289..ade6b23deb 100644
--- a/checkin_notes
+++ b/checkin_notes
@@ -7287,3 +7287,14 @@ David  7 Dec 2012
     - lib: add size info to messages when realloc() fails in MFILE
     lib/
         mfile.cpp
+
+Rom    5 Dec 2012
+    - MGR: Fix two potential security issues with browser.cpp where the
+        query to the cookie database could have been abused.  At present
+        neither of the two parameters originate as user input so using it
+        as an attack vector isn't very high.  Prevent the functions from
+        being exploited in the future in case the routines were ever used
+        in a different way.
+        
+    clientgui/
+        browser.cpp
diff --git a/clientgui/browser.cpp b/clientgui/browser.cpp
index 32d2d3895c..b5b6c243d1 100644
--- a/clientgui/browser.cpp
+++ b/clientgui/browser.cpp
@@ -600,8 +600,8 @@ retry:
     
     // construct SQL query to extract the desired cookie
     // SELECT host, name, value, expiry from moz_cookies WHERE name = '%s' AND host LIKE '%%%s'
-    snprintf(query, sizeof(query),
-        "SELECT host, name, value, expiry from moz_cookies WHERE name = '%s' AND host LIKE '%%%s'",
+    sqlite3_snprintf(sizeof(query), query,
+        "SELECT host, name, value, expiry from moz_cookies WHERE name = '%q' AND host LIKE '%%%q'",
         name.c_str(),
         hostname.c_str()
     );
@@ -814,8 +814,8 @@ bool detect_cookie_chrome(
     
     // construct SQL query to extract the desired cookie
     // SELECT host_key, name, value, expires_utc, httponly from cookies WHERE name = '%s' AND host_key LIKE '%%%s'
-    snprintf(query, sizeof(query),
-        "SELECT host_key, name, value, expires_utc, httponly from cookies WHERE name = '%s' AND host_key LIKE '%%%s'",
+    sqlite3_snprintf(sizeof(query), query,
+        "SELECT host_key, name, value, expires_utc, httponly from cookies WHERE name = '%q' AND host_key LIKE '%%%q'",
         name.c_str(),
         hostname.c_str()
     );