From b2cfe36d7c07ac767113ad9dbd9ec27fc794f35c Mon Sep 17 00:00:00 2001 From: Florian Pritz Date: Sun, 14 Apr 2024 12:59:00 +0200 Subject: fix(duser_db): Guard against NULL values When a user is deleted, their details are set to NULL. When no username is specific for a password reset, this can trigger an email being sent to an empty recipient which will not be deliverable. Just to be safe, guard against NULL values for all the user related functions. Signed-off-by: Florian Pritz --- NEWS | 1 + application/libraries/Duser/drivers/Duser_db.php | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/NEWS b/NEWS index 89a76b342..b70320d2b 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,7 @@ This file lists major, incompatible or otherwise important changes, you should look at it after every update. NEXT + - Fix password reset trying to send mails to deleted users 4.0.1 2024-01-14 - Fix PHP 8.2 deprecation warnings diff --git a/application/libraries/Duser/drivers/Duser_db.php b/application/libraries/Duser/drivers/Duser_db.php index 062da9e54..e1df20f1f 100644 --- a/application/libraries/Duser/drivers/Duser_db.php +++ b/application/libraries/Duser/drivers/Duser_db.php @@ -24,6 +24,10 @@ class Duser_db extends Duser_Driver { { $CI =& get_instance(); + if ($username === null) { + return false; + } + $query = $CI->db->select('username, id, password') ->from('users') ->where('username', $username) @@ -48,6 +52,10 @@ class Duser_db extends Duser_Driver { { $CI =& get_instance(); + if ($username === null) { + return false; + } + $query = $CI->db->select('id') ->from('users') ->where('username', $username) @@ -64,6 +72,10 @@ class Duser_db extends Duser_Driver { { $CI =& get_instance(); + if ($userid === null) { + throw new \exceptions\ApiException("libraries/duser/db/get_email-failed", "User does not exist"); + } + $query = $CI->db->select('email') ->from('users') ->where('id', $userid) -- cgit v1.2.3-24-g4f1b