fix 11779 SQLReport can run arbitrary queries

2010-08-11 14:48:38 -05:00 · 2010-08-11 14:48:38 -05:00 · 0957759fa9
commit 0957759fa9
parent 02121fb7a9
3 changed files with 9 additions and 0 deletions
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@ -1,5 +1,6 @@
 7.9.12
 - webgui.org homepage gives 404  (#11778)
+ - fixed #11779: SQLReport can run arbitrary queries

 7.9.11
 - fixed #11755: New cart does not update shipping methods correctly
--- a/lib/WebGUI/DatabaseLink.pm
+++ b/lib/WebGUI/DatabaseLink.pm
@ -383,6 +383,9 @@ sub queryIsAllowed {
 	my $self  = shift;
 	my $query = shift;

+    # Remove all comments before checking validity
+    $query =~ s{/[*].*?[*]/}{}g;
+
    my ($firstWord) = $query =~ /(\w+)/;
    $firstWord = lc $firstWord;
    return isIn($firstWord, split(/\s+/, lc $self->{_databaseLink}{allowedKeywords})) ? 1 : 0;
--- a/t/DatabaseLink.t
+++ b/t/DatabaseLink.t
@ -156,6 +156,11 @@ my $queries = [
        expect  => 1,
        comment => '... parenthesized',
    },
+    {
+        query   => '/* SELECT */ DELETE FROM users',
+        expect  => 0,
+        comment => 'Initial comment with valid keyword',
+    },
 ];

 plan tests => 14