Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-16348

user_ban double free of $result when banning a non-existent or disallowed username on command line

    Details

      Description

      In the global user_ban function, if an attempt is made to ban a username and that username is not valid or it is filtered due to being a founder type account, the code will call to trigger_error('NO_USERS', E_USER_WARNING). Under non-cli SAPI the E_USER_WARNING will happen to cause PHP to exit early, but on the cli SAPI this is not so, which means this code path on the command line makes two calls to $db->sql_freeresult($result).

      The call to $db->sql_freeresult($result) at https://github.com/phpbb/phpbb/blob/3bb2edd53de2e1b6e9b23099c21e72cd6063c1a4/phpBB/includes/functions_user.php#L1054 should simply be moved up into the if-statement’s consequent block.

        Attachments

          Activity

            People

            • Assignee:
              Marc Marc
              Reporter:
              Snover Snover [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: