Merge branch 'hotfix/zf2014-06'

ZF2014-06 patch

Conflicts:
	README.md

README.md

@@ -22,6 +22,11 @@ IMPORTANT FIXES FOR 1.12.9
   users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
   versions of PHP 5.3 and below). If you use `Zend_Ldap` and are on an affected
   version of PHP, we recommend upgrading immediately.
+- **ZF2014-06** `Zend_Db_Adapter_Sqlsrv` had a potential SQL injection
+  vulnerability via improperly quoted null bytes. The code has been updated to
+  ensure proper quoting and thus remove the security vector. If you are using
+  `Zend_Db_Adapter_Sqlsrv` and manually quoting values via the adapter, we
+  encourage you to upgrade immediately.
 
 See http://framework.zend.com/changelog for full details.
 

library/Zend/Db/Adapter/Sqlsrv.php

@@ -314,6 +314,7 @@ class Zend_Db_Adapter_Sqlsrv extends Zend_Db_Adapter_Abstract
             return sprintf('%F', $value);
         }
 
+        $value = addcslashes($value, "\000\032");
         return "'" . str_replace("'", "''", $value) . "'";
     }
 

tests/Zend/Db/Adapter/SqlsrvTest.php

@@ -558,4 +558,15 @@ class Zend_Db_Adapter_SqlsrvTest extends Zend_Db_Adapter_TestCommon
     {
         return 'Sqlsrv';
     }
+
+    /**
+     * test that quote() escapes null byte character
+     * in a string.
+     */
+    public function testAdapterQuoteNullByteCharacter()
+    {
+        $string = "1\0";
+        $value  = $this->_db->quote($string);
+        $this->assertEquals("'1\\000'", $value);
+    }
 }