From 06d61ec19de15ba0a176839c8ae8afbc9dbcf586 Mon Sep 17 00:00:00 2001
From: Graham Knop <haarg@haarg.org>
Date: Mon, 10 May 2010 13:06:14 -0500
Subject: [PATCH] fixed: UserList asset has SQL injection bug

---
 docs/changelog/7.x.x.txt             | 1 +
 lib/WebGUI/Asset/Wobject/UserList.pm | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index 8188c81e7..90fbdb8ca 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -5,6 +5,7 @@
  - fixed #11541: running workflows screen
  - fixed #11544: VersionTag Workflows with missing Version Tags run forever
  - fixed #11555: Wiki subcategories entry field is not labeled
+ - fixed: UserList asset has SQL injection bug
 
 7.9.4
  - We're shipping underscore.js now for its suite of extremely handy utility
diff --git a/lib/WebGUI/Asset/Wobject/UserList.pm b/lib/WebGUI/Asset/Wobject/UserList.pm
index 9e4d3947b..f14624e3a 100644
--- a/lib/WebGUI/Asset/Wobject/UserList.pm
+++ b/lib/WebGUI/Asset/Wobject/UserList.pm
@@ -506,12 +506,16 @@ sub view {
 	$sql .= " and ".$constraint if ($constraint);
 
 	my $sortBy = $form->process('sortBy') || $self->get('sortBy') || 'users.username';
-	my $sortOrder = $form->process('sortOrder') || $self->get('sortOrder') || 'asc';
+	my $sortOrder = $form->process('sortOrder') || $self->get('sortOrder');
+    if (lc $sortOrder ne 'desc') {
+        $sortOrder = 'asc';
+    }
 	
     my @sortByUserProperties = ('dateCreated', 'lastUpdated', 'karma', 'userId');
     if(isIn($sortBy,@sortByUserProperties)){
             $sortBy = 'users.'.$sortBy;
     }
+    $sortBy = join '.', map { $self->session->db->quoteIdentifier } split /\./, $sortBy;
 	$sql .= " order by ".$sortBy." ".$sortOrder;
 
 	($defaultPublicProfile) = $self->session->db->quickArray("SELECT dataDefault FROM userProfileField WHERE fieldName='publicProfile'");