oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix 11779 SQLReport can run arbitrary queries

Browse source
This commit is contained in:
Doug Bell 2010-08-11 14:48:38 -05:00
parent 02121fb7a9
commit 0957759fa9
3 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/changelog/7.x.x.txt
View file

@ -1,5 +1,6 @@
7.9.12 7.9.12
- webgui.org homepage gives 404 (#11778) - webgui.org homepage gives 404 (#11778)
- fixed #11779: SQLReport can run arbitrary queries
7.9.11 7.9.11
- fixed #11755: New cart does not update shipping methods correctly - fixed #11755: New cart does not update shipping methods correctly

3
lib/WebGUI/DatabaseLink.pm
View file

@ -383,6 +383,9 @@ sub queryIsAllowed {
my $self = shift; my $self = shift;
my $query = shift; my $query = shift;
# Remove all comments before checking validity
$query =~ s{/[*].*?[*]/}{}g;
my ($firstWord) = $query =~ /(\w+)/; my ($firstWord) = $query =~ /(\w+)/;
$firstWord = lc $firstWord; $firstWord = lc $firstWord;
return isIn($firstWord, split(/\s+/, lc $self->{_databaseLink}{allowedKeywords})) ? 1 : 0; return isIn($firstWord, split(/\s+/, lc $self->{_databaseLink}{allowedKeywords})) ? 1 : 0;

5
t/DatabaseLink.t
View file

@ -156,6 +156,11 @@ my $queries = [
expect => 1, expect => 1,
comment => '... parenthesized', comment => '... parenthesized',
}, },
{
query => '/* SELECT */ DELETE FROM users',
expect => 0,
comment => 'Initial comment with valid keyword',
},
]; ];
plan tests => 14 plan tests => 14