Commit d216a8c0 authored by Francois Marier's avatar Francois Marier
Browse files

Extra validation for search fields



This is not a security fix but rather a cleanup to harden this code
and make it harder to accidentally introduce a SQL injection in the
future.
Signed-off-by: default avatarFrancois Marier <francois@catalyst.net.nz>
parent dc04329d
......@@ -223,7 +223,16 @@ class PluginSearchInternal extends PluginSearch {
public static function admin_search_user($queries, $constraints, $offset, $limit,
$sortfield, $sortdir) {
$sort = $sortfield . ' ' . strtoupper($sortdir);
$sort = 'TRUE';
if (preg_match('/^[a-zA-Z_0-9"]+$/', $sortfield)) {
$sort = $sortfield;
if (strtoupper($sortdir) != 'DESC') {
$sort .= ' ASC';
}
else {
$sort .= ' DESC';
}
}
$where = 'WHERE u.id <> 0 AND u.deleted = 0';
$values = array();
......@@ -236,6 +245,9 @@ class PluginSearchInternal extends PluginSearch {
$where .= ' AND ( ';
$str = array();
foreach ($queries as $f) {
if (!preg_match('/^[a-zA-Z_0-9"]+$/', $f['field'])) {
continue; // skip this field as it fails validation
}
$str[] = 'u.' . $f['field']
. PluginSearchInternal::match_expression($f['type'], $f['string'], $values, $ilike);
}
......@@ -353,6 +365,9 @@ class PluginSearchInternal extends PluginSearch {
$where .= ' AND ( ';
$str = array();
foreach ($queries as $f) {
if (!preg_match('/^[a-zA-Z_0-9"]+$/', $f['field'])) {
continue; // skip this field as it fails validation
}
$str[] = 'u.' . $f['field']
. PluginSearchInternal::match_expression($f['type'], $f['string'], $values, $ilike);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment