Fix use of raw param calls in UserList. Fixes bug #11774
This commit is contained in:
Colin Kuskie
parent
1a22d13aa1
commit
0e7bc7ae0e
2 changed files with 17 additions and 16 deletions
|
|
@ -15,6 +15,7 @@
|
||||||
- fixed #11768: Edit Branch does not update File wgaccess permissions
|
- fixed #11768: Edit Branch does not update File wgaccess permissions
|
||||||
- added Asset Report Asset allowing creation of reports based on Asset Properties.
|
- added Asset Report Asset allowing creation of reports based on Asset Properties.
|
||||||
- fixed #11773: Pluggable allows arbitrary module loading
|
- fixed #11773: Pluggable allows arbitrary module loading
|
||||||
|
- fixed #11774: UserList SQL injection
|
||||||
|
|
||||||
7.9.10
|
7.9.10
|
||||||
- fixed #11721: spamStopWords not in WebGUI.conf.original
|
- fixed #11721: spamStopWords not in WebGUI.conf.original
|
||||||
|
|
|
||||||
|
|
@ -360,7 +360,8 @@ sub view {
|
||||||
|
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
my $form = $self->session->form;
|
my $form = $self->session->form;
|
||||||
my $url = $self->session->url;
|
my $url = $self->session->url;
|
||||||
|
my $dbh = $self->session->db->dbh;
|
||||||
my $i18n = WebGUI::International->new($self->session, "Asset_UserList");
|
my $i18n = WebGUI::International->new($self->session, "Asset_UserList");
|
||||||
my (%var, @users, @profileField_loop, @profileFields);
|
my (%var, @users, @profileField_loop, @profileFields);
|
||||||
my ($user, $sth, $sql, $profileField);
|
my ($user, $sth, $sql, $profileField);
|
||||||
|
|
@ -442,7 +443,6 @@ sub view {
|
||||||
# Query user profile data. Exclude the visitor account and users that have been deactivated.
|
# Query user profile data. Exclude the visitor account and users that have been deactivated.
|
||||||
$sql = "select distinct users.userId, users.userName, userProfileData.publicProfile ";
|
$sql = "select distinct users.userId, users.userName, userProfileData.publicProfile ";
|
||||||
# Include remaining profile fields in the query
|
# Include remaining profile fields in the query
|
||||||
my $dbh = $self->session->db->dbh;
|
|
||||||
foreach my $profileField (@profileFields){
|
foreach my $profileField (@profileFields){
|
||||||
$sql .= ", userProfileData." . $dbh->quote_identifier($profileField->{fieldName});
|
$sql .= ", userProfileData." . $dbh->quote_identifier($profileField->{fieldName});
|
||||||
}
|
}
|
||||||
|
|
@ -451,22 +451,22 @@ sub view {
|
||||||
|
|
||||||
my $constraint;
|
my $constraint;
|
||||||
my @profileSearchFields = ();
|
my @profileSearchFields = ();
|
||||||
my $searchType = $form->process('searchType') || 'or';
|
my $searchType = lc $form->process('searchType') eq 'and' ? 'and' : 'or';
|
||||||
if ($form->process('search')){
|
if ($form->process('search')){
|
||||||
# Normal search with one keyword takes precedence over other search options
|
# Normal search with one keyword takes precedence over other search options
|
||||||
if($form->process('limitSearch')){
|
if($form->process('limitSearch')){
|
||||||
# Normal search with one keyword in a limited number of fields
|
# Normal search with one keyword in a limited number of fields
|
||||||
foreach my $profileField (@profileFields){
|
foreach my $profileField (@profileFields){
|
||||||
if ($form->process('includeInSearch_'.$profileField->{fieldName})){
|
if ($form->process('includeInSearch_'.$profileField->{fieldName})){
|
||||||
push(@profileSearchFields,'userProfileData.'.$profileField->{fieldName}
|
push(@profileSearchFields, 'userProfileData.'.$dbh->quote_identifier($profileField->{fieldName})
|
||||||
.' like "%'.$form->process('search').'%"');
|
.' like '. $dbh->quote('%'.$form->process('search').'%'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else{
|
else{
|
||||||
# Normal search with one keyword in all fields
|
# Normal search with one keyword in all fields
|
||||||
$constraint = "(".join(' or ', map {'userProfileData.'.$_->{fieldName}
|
$constraint = "(".join(' or ', map {'userProfileData.'.$dbh->quote_identifier($_->{fieldName})
|
||||||
.' like "%'.$form->process('search').'%"'} @profileFields).")";
|
.' like '.$dbh->quote('%'.$form->process('search').'%')} @profileFields).")";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
elsif ($form->process('searchExact')){
|
elsif ($form->process('searchExact')){
|
||||||
|
|
@ -475,15 +475,15 @@ sub view {
|
||||||
# Exact search with one keyword in a limited number of fields
|
# Exact search with one keyword in a limited number of fields
|
||||||
foreach my $profileField (@profileFields){
|
foreach my $profileField (@profileFields){
|
||||||
if ($form->process('includeInSearch_'.$profileField->{fieldName})){
|
if ($form->process('includeInSearch_'.$profileField->{fieldName})){
|
||||||
push(@profileSearchFields,'userProfileData.'.$profileField->{fieldName}
|
push(@profileSearchFields,'userProfileData.'.$dbh->quote_identifier($profileField->{fieldName})
|
||||||
.' like "'.$form->process('search').'"');
|
.' like '.$dbh->quote($form->process('search')));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else{
|
else{
|
||||||
# Exact search with one keyword in all fields
|
# Exact search with one keyword in all fields
|
||||||
$constraint = "(".join(' or ', map {'userProfileData.'.$_->{fieldName}
|
$constraint = "(".join(' or ', map {'userProfileData.'.$dbh->quote_identifier($_->{fieldName})
|
||||||
.' like "'.$form->process('searchExact').'"'} @profileFields).")";
|
.' like ' . $dbh->quote($form->process('searchExact'))} @profileFields).")";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else{
|
else{
|
||||||
|
|
@ -491,12 +491,12 @@ sub view {
|
||||||
foreach my $profileField (@profileFields){
|
foreach my $profileField (@profileFields){
|
||||||
# Exact search has precedence over normal search
|
# Exact search has precedence over normal search
|
||||||
if ($form->process('searchExact_'.$profileField->{fieldName})){
|
if ($form->process('searchExact_'.$profileField->{fieldName})){
|
||||||
push(@profileSearchFields,'userProfileData.'.$profileField->{fieldName}
|
push(@profileSearchFields,'userProfileData.'.$dbh->quote_identifier($profileField->{fieldName})
|
||||||
.' like "'.$form->process('searchExact_'.$profileField->{fieldName}).'"');
|
.' like '. $dbh->quote($form->process('searchExact_'.$profileField->{fieldName})));
|
||||||
}
|
}
|
||||||
elsif ($form->process('search_'.$profileField->{fieldName})){
|
elsif ($form->process('search_'.$profileField->{fieldName})){
|
||||||
push(@profileSearchFields,'userProfileData.'.$profileField->{fieldName}
|
push(@profileSearchFields,'userProfileData.'.$dbh->quote_identifier($profileField->{fieldName})
|
||||||
.' like "%'.$form->process('search_'.$profileField->{fieldName}).'%"');
|
.' like '. $dbh->quote('%'.$form->process('search_'.$profileField->{fieldName})));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -505,7 +505,7 @@ sub view {
|
||||||
}
|
}
|
||||||
$sql .= " and ".$constraint if ($constraint);
|
$sql .= " and ".$constraint if ($constraint);
|
||||||
|
|
||||||
my $sortBy = $form->process('sortBy') || $self->get('sortBy') || 'users.username';
|
my $sortBy = $form->process('sortBy') || $self->get('sortBy') || 'users.username';
|
||||||
my $sortOrder = $form->process('sortOrder') || $self->get('sortOrder');
|
my $sortOrder = $form->process('sortOrder') || $self->get('sortOrder');
|
||||||
if (lc $sortOrder ne 'desc') {
|
if (lc $sortOrder ne 'desc') {
|
||||||
$sortOrder = 'asc';
|
$sortOrder = 'asc';
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue