Make formatOrderClause() safer · recaptime.dev/phorge@9dc114d

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

Make formatOrderClause() safer

Summary:
Ref T7803. Instead of trusting subqueries to provide safe values, escape them explicitly.

(We'll probably have a few cases somewhere where this doesn't work, but can make them the exception rather than the rule.)

Test Plan: Issued all "order" queries in Diffusion.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7803

Differential Revision: https://secure.phabricator.com/D12351

epriestley 11 years ago 9dc114d1 e5ff344d

+22 -8

2 changed files

expand all

src

applications

repository

query

PhabricatorRepositoryQuery.php

infrastructure

query

policy

PhabricatorCursorPagedPolicyAwareQuery.php

+10 -5

src/applications/repository/query/PhabricatorRepositoryQuery.php

··· 304 304 break; 305 305 case self::ORDER_COMMITTED: 306 306 $parts[] = array( 307 - 'name' => 's.epoch', 307 + 'table' => 's', 308 + 'column' => 'epoch', 308 309 ); 309 310 break; 310 311 case self::ORDER_CALLSIGN: 311 312 $parts[] = array( 312 - 'name' => 'r.callsign', 313 + 'table' => 'r', 314 + 'column' => 'callsign', 313 315 'reverse' => true, 314 316 ); 315 317 break; 316 318 case self::ORDER_NAME: 317 319 $parts[] = array( 318 - 'name' => 'r.name', 320 + 'table' => 'r', 321 + 'column' => 'name', 319 322 'reverse' => true, 320 323 ); 321 324 break; 322 325 case self::ORDER_SIZE: 323 326 $parts[] = array( 324 - 'name' => 's.size', 327 + 'table' => 's', 328 + 'column' => 'size', 325 329 ); 326 330 break; 327 331 default: ··· 329 333 } 330 334 331 335 $parts[] = array( 332 - 'name' => 'r.id', 336 + 'table' => 'r', 337 + 'column' => 'id', 333 338 ); 334 339 335 340 return $this->formatOrderClause($conn, $parts);

+12 -3

src/infrastructure/query/policy/PhabricatorCursorPagedPolicyAwareQuery.php

··· 310 310 $descending = !$descending; 311 311 } 312 312 313 - $name = $part['name']; 313 + $table = idx($part, 'table'); 314 + $column = $part['column']; 314 315 315 316 if ($descending) { 316 - $sql[] = qsprintf($conn, '%Q DESC', $name); 317 + if ($table !== null) { 318 + $sql[] = qsprintf($conn, '%T.%T DESC', $table, $column); 319 + } else { 320 + $sql[] = qsprintf($conn, '%T DESC', $column); 321 + } 317 322 } else { 318 - $sql[] = qsprintf($conn, '%Q ASC', $name); 323 + if ($table !== null) { 324 + $sql[] = qsprintf($conn, '%T.%T ASC', $table, $column); 325 + } else { 326 + $sql[] = qsprintf($conn, '%T ASC', $column); 327 + } 319 328 } 320 329 } 321 330

Configure Feed

Configure Feed