Fixed escapeLike fails to escape backslashes

[PaulB]

Affected version

2.2.8.0

Replacements it performs:

• % -> \%
• _ -> \_

However, it neglects to perform:

• \ -> \\

This means input such as this:

\%

Will become:

\\%

Which MySQL/MariaDB will interpret as a literal backslash followed by a LIKE wildcard.

While this could theoretically result in security vulnerabilities in some add-ons, I can't find any instances in which this would result in a security issue in vanilla XenForo; it just breaks certain searches.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.13).

Change log:

Escape backslashes when escaping SQL like clauses

There may be a delay before changes are rolled out to the XenForo Community.