Skip to content

Commit

Permalink
validate sql_search and sql_orderby API parameters, set version to 0.…
Browse files Browse the repository at this point in the history
…10.34 for security release

Signed-off-by: Michael Kaufmann <[email protected]>
  • Loading branch information
d00p committed Apr 1, 2022
1 parent 3c16fab commit 4546c00
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 3 deletions.
2 changes: 1 addition & 1 deletion install/froxlor.sql
Original file line number Diff line number Diff line change
Expand Up @@ -723,7 +723,7 @@ opcache.validate_timestamps'),
('panel', 'logo_image_login', ''),
('panel', 'logo_overridetheme', '0'),
('panel', 'logo_overridecustom', '0'),
('panel', 'version', '0.10.33'),
('panel', 'version', '0.10.34'),
('panel', 'db_version', '202112310');


Expand Down
5 changes: 5 additions & 0 deletions install/updates/froxlor/0.10/update_0.10.inc.php
Original file line number Diff line number Diff line change
Expand Up @@ -970,3 +970,8 @@
showUpdateStep("Updating from 0.10.32 to 0.10.33", false);
\Froxlor\Froxlor::updateToVersion('0.10.33');
}

if (\Froxlor\Froxlor::isFroxlorVersion('0.10.33')) {
showUpdateStep("Updating from 0.10.33 to 0.10.34", false);
\Froxlor\Froxlor::updateToVersion('0.10.34');
}
17 changes: 17 additions & 0 deletions lib/Froxlor/Api/ApiCommand.php
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,10 @@ protected function getSearchWhere(&$query_fields = array(), $append = false)
$sortfield[$id] = $sfield;
}
$field = implode('.', $sortfield);
if (preg_match('/^([a-z0-9\-\._`]+)$/i', $field) == false) {
// skip
continue;
}
if (! $first) {
$condition .= ' AND ';
}
Expand All @@ -313,6 +317,14 @@ protected function getSearchWhere(&$query_fields = array(), $append = false)
} elseif (strtolower($valoper['op']) == 'in' && is_array($valoper['value']) && count($valoper['value']) > 0) {
$condition .= $field . ' ' . $valoper['op'] . ' (';
foreach ($valoper['value'] as $incnt => $invalue) {
if (!is_numeric($incnt)) {
// skip
continue;
}
if (!empty($invalue) && preg_match('/^([a-z0-9\-\._`]+)$/i', $invalue) == false) {
// skip
continue;
}
$condition .= ":" . $cleanfield . $incnt . ", ";
$query_fields[':' . $cleanfield . $incnt] = $invalue ?? '';
}
Expand Down Expand Up @@ -398,6 +410,10 @@ protected function getOrderBy($append = false)
$sortfield[$id] = $sfield;
}
$field = implode('.', $sortfield);
if (preg_match('/^([a-z0-9\-\._`]+)$/i', $field) == false) {
// skip
continue;
}
$by = strtoupper($by);
if (! in_array($by, [
'ASC',
Expand All @@ -423,6 +439,7 @@ protected function getOrderBy($append = false)
return $order;
}


/**
* return logger instance
*
Expand Down
2 changes: 1 addition & 1 deletion lib/Froxlor/Froxlor.php
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ final class Froxlor
{

// Main version variable
const VERSION = '0.10.33';
const VERSION = '0.10.34';

// Database version (YYYYMMDDC where C is a daily counter)
const DBVERSION = '202112310';
Expand Down
2 changes: 1 addition & 1 deletion lng/german.lng.php
Original file line number Diff line number Diff line change
Expand Up @@ -410,7 +410,7 @@

// ADDED IN 1.2.13-rc3

$lng['error']['cantchangesystemip'] = 'Sie können die letzte System-IP-Adresse nicht löschen. Entweder legen Sie eine neue IP/Port-Kombination an oder Sie ändern die System-IP-Adresse.';
$lng['error']['cantchangesystemip'] = 'Sie können die letzte System-IP-Adresse nicht ändern. Entweder legen Sie eine neue IP/Port-Kombination an oder Sie ändern die System-IP-Adresse.';
$lng['question']['admin_domain_reallydocrootoutofcustomerroot'] = 'Sind Sie sicher, dass der DocumentRoot dieser Domain außerhalb des Heimatverzeichnisses des Kunden liegen soll?';

// ADDED IN 1.2.14-rc1
Expand Down

0 comments on commit 4546c00

Please sign in to comment.