From 0e7bc7ae0e84b86ee1b5b6a96e6cb460d8da2102 Mon Sep 17 00:00:00 2001
From: Colin Kuskie <colink@perldreamer.com>
Date: Tue, 10 Aug 2010 20:36:56 -0700
Subject: [PATCH] Fix use of raw param calls in UserList.  Fixes bug #11774

---
 docs/changelog/7.x.x.txt             |  1 +
 lib/WebGUI/Asset/Wobject/UserList.pm | 32 ++++++++++++++--------------
 2 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index d81bcf4fb..14e005279 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -15,6 +15,7 @@
  - fixed #11768: Edit Branch does not update File wgaccess permissions
  - added Asset Report Asset allowing creation of reports based on Asset Properties.
  - fixed #11773: Pluggable allows arbitrary module loading
+ - fixed #11774: UserList SQL injection
 
 7.9.10
  - fixed #11721: spamStopWords not in WebGUI.conf.original
diff --git a/lib/WebGUI/Asset/Wobject/UserList.pm b/lib/WebGUI/Asset/Wobject/UserList.pm
index c3723485b..5a450d4a0 100644
--- a/lib/WebGUI/Asset/Wobject/UserList.pm
+++ b/lib/WebGUI/Asset/Wobject/UserList.pm
@@ -360,7 +360,8 @@ sub view {
 
 	my $self = shift;
     my $form = $self->session->form;
-    my $url = $self->session->url;
+    my $url  = $self->session->url;
+    my $dbh  = $self->session->db->dbh;
 	my $i18n = WebGUI::International->new($self->session, "Asset_UserList");
 	my (%var, @users, @profileField_loop, @profileFields);
 	my ($user, $sth, $sql, $profileField);
@@ -442,7 +443,6 @@ sub view {
     # Query user profile data. Exclude the visitor account and users that have been deactivated.
 	$sql = "select distinct users.userId, users.userName, userProfileData.publicProfile ";
 	# Include remaining profile fields in the query
-    my $dbh = $self->session->db->dbh;
 	foreach my $profileField (@profileFields){
     	$sql .= ", userProfileData." . $dbh->quote_identifier($profileField->{fieldName});
 	}
@@ -451,22 +451,22 @@ sub view {
 	
 	my $constraint;
     my @profileSearchFields = ();
-    my $searchType = $form->process('searchType') || 'or';
+    my $searchType = lc $form->process('searchType') eq 'and' ? 'and' : 'or';
 	if ($form->process('search')){
         # Normal search with one keyword takes precedence over other search options
         if($form->process('limitSearch')){
             # Normal search with one keyword in a limited number of fields
             foreach my $profileField (@profileFields){
                 if ($form->process('includeInSearch_'.$profileField->{fieldName})){    
-                    push(@profileSearchFields,'userProfileData.'.$profileField->{fieldName}
-                    .' like "%'.$form->process('search').'%"');
+                    push(@profileSearchFields, 'userProfileData.'.$dbh->quote_identifier($profileField->{fieldName})
+                    .' like '. $dbh->quote('%'.$form->process('search').'%'));
                 }
             }
         }
         else{
             # Normal search with one keyword in all fields
-    		$constraint = "(".join(' or ', map {'userProfileData.'.$_->{fieldName}
-            .' like "%'.$form->process('search').'%"'} @profileFields).")";	
+    		$constraint = "(".join(' or ', map {'userProfileData.'.$dbh->quote_identifier($_->{fieldName})
+            .' like '.$dbh->quote('%'.$form->process('search').'%')} @profileFields).")";	
         }
 	}
     elsif ($form->process('searchExact')){
@@ -475,15 +475,15 @@ sub view {
             # Exact search with one keyword in a limited number of fields
             foreach my $profileField (@profileFields){
                 if ($form->process('includeInSearch_'.$profileField->{fieldName})){
-                    push(@profileSearchFields,'userProfileData.'.$profileField->{fieldName}
-                    .' like "'.$form->process('search').'"');
+                    push(@profileSearchFields,'userProfileData.'.$dbh->quote_identifier($profileField->{fieldName})
+                    .' like '.$dbh->quote($form->process('search')));
                 }
             }
         }
         else{
             # Exact search with one keyword in all fields
-            $constraint = "(".join(' or ', map {'userProfileData.'.$_->{fieldName}
-            .' like "'.$form->process('searchExact').'"'} @profileFields).")";
+            $constraint = "(".join(' or ', map {'userProfileData.'.$dbh->quote_identifier($_->{fieldName})
+            .' like ' . $dbh->quote($form->process('searchExact'))} @profileFields).")";
         }
     }
     else{
@@ -491,12 +491,12 @@ sub view {
     	foreach my $profileField (@profileFields){
             # Exact search has precedence over normal search
             if ($form->process('searchExact_'.$profileField->{fieldName})){
-                push(@profileSearchFields,'userProfileData.'.$profileField->{fieldName}
-                    .' like "'.$form->process('searchExact_'.$profileField->{fieldName}).'"');
+                push(@profileSearchFields,'userProfileData.'.$dbh->quote_identifier($profileField->{fieldName})
+                    .' like '. $dbh->quote($form->process('searchExact_'.$profileField->{fieldName})));
             }
             elsif ($form->process('search_'.$profileField->{fieldName})){
-                push(@profileSearchFields,'userProfileData.'.$profileField->{fieldName}
-                    .' like "%'.$form->process('search_'.$profileField->{fieldName}).'%"');
+                push(@profileSearchFields,'userProfileData.'.$dbh->quote_identifier($profileField->{fieldName})
+                    .' like '. $dbh->quote('%'.$form->process('search_'.$profileField->{fieldName})));
             }
 	    }
 	}
@@ -505,7 +505,7 @@ sub view {
     }
 	$sql .= " and ".$constraint if ($constraint);
 
-	my $sortBy = $form->process('sortBy') || $self->get('sortBy') || 'users.username';
+    my $sortBy    = $form->process('sortBy')    || $self->get('sortBy') || 'users.username';
 	my $sortOrder = $form->process('sortOrder') || $self->get('sortOrder');
     if (lc $sortOrder ne 'desc') {
         $sortOrder = 'asc';