joomla · HLeithner · Sep 17, 2019 · Nov 30, 2018
diff --git a/libraries/joomla/database/driver.php b/libraries/joomla/database/driver.php
@@ -1866,6 +1866,21 @@ public function quote($text, $escape = true)
 		}
 	}
 
+	/**
+	 * Quotes a binary string to database requirements for use in database queries.
+	 *
+	 * @param   mixed  $data  A binary string to quote.
+	 *
+	 * @return  string  The binary quoted input string.
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public function quoteBinary($data)
+	{
+		// SQL standard syntax for hexadecimal literals
+		return "X'" . bin2hex($data) . "'";
+	}
+
 	/**
 	 * Wrap an SQL statement identifier name such as column, table or database names in quotes to prevent injection
 	 * risks and reserved word conflicts.

diff --git a/libraries/joomla/database/driver/pgsql.php b/libraries/joomla/database/driver/pgsql.php
@@ -987,4 +987,18 @@ public function updateObject($table, &$object, $key, $nulls = false)
 
 		return $this->execute();
 	}
+
+	/**
+	 * Quotes a binary string to database requirements for use in database queries.
+	 *
+	 * @param   mixed  $data  A binary string to quote.
+	 *
+	 * @return  string  The binary quoted input string.
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public function quoteBinary($data)
+	{
+		return "decode('" . bin2hex($data) . "', 'hex')";
+	}
 }
diff --git a/libraries/joomla/database/driver/postgresql.php b/libraries/joomla/database/driver/postgresql.php
@@ -1600,4 +1600,18 @@ protected function getCreateDatabaseQuery($options, $utf)
 	{
 		return 'CREATE DATABASE ' . $this->quoteName($options->db_name);
 	}
+
+	/**
+	 * Quotes a binary string to database requirements for use in database queries.
+	 *
+	 * @param   mixed  $data  A binary string to quote.
+	 *
+	 * @return  string  The binary quoted input string.
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public function quoteBinary($data)
+	{
+		return "decode('" . bin2hex($data) . "', 'hex')";
+	}
 }
diff --git a/libraries/joomla/database/driver/sqlsrv.php b/libraries/joomla/database/driver/sqlsrv.php
@@ -283,6 +283,21 @@ public function quote($text, $escape = true)
 		return 'N\'' . ($escape ? $this->escape($text) : $text) . '\'';
 	}
 
+	/**
+	 * Quotes a binary string to database requirements for use in database queries.
+	 *
+	 * @param   mixed  $data  A binary string to quote.
+	 *
+	 * @return  string  The binary quoted input string.
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public function quoteBinary($data)
+	{
+		// ODBC syntax for hexadecimal literals
+		return '0x' . bin2hex($data);
+	}
+
 	/**
 	 * Determines if the connection to the server is active.
 	 *

diff --git a/libraries/joomla/session/storage/database.php b/libraries/joomla/session/storage/database.php
@@ -38,7 +38,7 @@ public function read($id)
 			$query = $db->getQuery(true)
 				->select($db->quoteName('data'))
 			->from($db->quoteName('#__session'))
-			->where($db->quoteName('session_id') . ' = ' . $db->quote($id));
+			->where($db->quoteName('session_id') . ' = ' . $db->quoteBinary($id));
 
 			$db->setQuery($query);
 
@@ -77,7 +77,7 @@ public function write($id, $data)
 				->update($db->quoteName('#__session'))
 				->set($db->quoteName('data') . ' = ' . $db->quote($data))
 				->set($db->quoteName('time') . ' = ' . time())
-				->where($db->quoteName('session_id') . ' = ' . $db->quote($id));
+				->where($db->quoteName('session_id') . ' = ' . $db->quoteBinary($id));
 
 			// Try to update the session data in the database table.
 			$db->setQuery($query);
@@ -114,7 +114,7 @@ public function destroy($id)
 		{
 			$query = $db->getQuery(true)
 				->delete($db->quoteName('#__session'))
-				->where($db->quoteName('session_id') . ' = ' . $db->quote($id));
+				->where($db->quoteName('session_id') . ' = ' . $db->quoteBinary($id));
 
 			// Remove a session from the database.
 			$db->setQuery($query);

diff --git a/libraries/legacy/application/application.php b/libraries/legacy/application/application.php
@@ -1041,7 +1041,7 @@ public function checkSession()
 		$query = $db->getQuery(true)
 			->select($db->quoteName('session_id'))
 			->from($db->quoteName('#__session'))
-			->where($db->quoteName('session_id') . ' = ' . $db->quote($session->getId()));
+			->where($db->quoteName('session_id') . ' = ' . $db->quoteBinary($session->getId()));
 
 		$db->setQuery($query, 0, 1);
 		$exists = $db->loadResult();

diff --git a/libraries/src/Session/MetadataManager.php b/libraries/src/Session/MetadataManager.php
@@ -68,7 +68,7 @@ public function createRecordIfNonExisting(Session $session, User $user)
 		$query = $this->db->getQuery(true)
 			->select($this->db->quoteName('session_id'))
 			->from($this->db->quoteName('#__session'))
-			->where($this->db->quoteName('session_id') . ' = ' . $this->db->quote($session->getId()));
+			->where($this->db->quoteName('session_id') . ' = ' . $this->db->quoteBinary($session->getId()));
 
 		$this->db->setQuery($query, 0, 1);
 		$exists = $this->db->loadResult();
@@ -92,7 +92,7 @@ public function createRecordIfNonExisting(Session $session, User $user)
 		);
 
 		$values = array(
-			$this->db->quote($session->getId()),
+			$this->db->quoteBinary($session->getId()),
 			(int) $user->guest,
 			(int) $time,
 			(int) $user->id,

diff --git a/plugins/privacy/user/user.php b/plugins/privacy/user/user.php
@@ -141,7 +141,7 @@ public function onPrivacyRemoveData(PrivacyTableRequest $request, JUser $user =
 		foreach ($sessionIds as $sessionId)
 		{
 			$store->destroy($sessionId);
-			$quotedIds[] = $this->db->quote($sessionId);
+			$quotedIds[] = $this->db->quoteBinary($sessionId);
 		}
 
 		$this->db->setQuery(

diff --git a/plugins/user/joomla/joomla.php b/plugins/user/joomla/joomla.php
@@ -239,7 +239,7 @@ public function onUserLogin($user, $options = array())
 		// Purge the old session
 		$query = $this->db->getQuery(true)
 			->delete('#__session')
-			->where($this->db->quoteName('session_id') . ' = ' . $this->db->quote($oldSessionId));
+			->where($this->db->quoteName('session_id') . ' = ' . $this->db->quoteBinary($oldSessionId));
 
 		try
 		{