From 3141a6ed5ee03f3afd766085a9d827bde431a7bd Mon Sep 17 00:00:00 2001
From: khenn <frank@plainblack.com>
Date: Tue, 10 Aug 2010 21:35:07 -0500
Subject: [PATCH] Fixed injection issues with SQL.  Fixed a JS issue introduced
 in previous bug fix.

---
 lib/WebGUI/Asset/Wobject/AssetReport.pm       | 107 +++++++++++++++++-
 .../yui-webgui/build/form/assetReportQuery.js |   3 -
 2 files changed, 102 insertions(+), 8 deletions(-)

diff --git a/lib/WebGUI/Asset/Wobject/AssetReport.pm b/lib/WebGUI/Asset/Wobject/AssetReport.pm
index 96bdf5386..1759e4840 100644
--- a/lib/WebGUI/Asset/Wobject/AssetReport.pm
+++ b/lib/WebGUI/Asset/Wobject/AssetReport.pm
@@ -20,6 +20,58 @@ use WebGUI::Utility;
 use Class::C3;
 use base qw/WebGUI::Asset::Wobject/;
 
+
+#-------------------------------------------------------------------
+
+=head2 canAdd ( session, [userId, groupId] )
+
+Verifies that the user has the privileges necessary to add this type of asset and that the requested asset
+can be added as a child of this asset. Return a boolean.
+
+A class method.
+
+=head3 session
+
+The session variable.
+
+=head3 userId
+
+Unique hash identifier for a user. If not supplied, current user.
+
+=head3 groupId
+
+Only developers extending this method should use this parameter. By default WebGUI will check groups in this order, whichever is defined:
+
+=over 4
+
+=item *
+
+Group id assigned in the config file for each asset.
+
+=item *
+
+Group assigned by the developer in the asset itself if s/he extended this method to do so.
+
+=item *
+
+The "turn admin on" group which is group id 12.
+
+=back
+
+=cut
+
+sub canAdd {
+    my $className       = shift;
+    my $session         = shift;
+    my $userId          = shift || $session->user->userId;
+    my $user            = WebGUI::User->new($session, $userId);
+    my $subclassGroupId = shift;
+    my $addPrivsGroup   = $session->config->get("assets/".$className."/addGroup");
+    my $groupId         = $addPrivsGroup || $subclassGroupId || '3';
+    my $validParent     = $className->validParent($session);
+    return $user->isInGroup($groupId) && $validParent;
+}
+
 #-------------------------------------------------------------------
 
 =head2 definition ( session, definition )
@@ -106,6 +158,7 @@ Get template variables common to all views of the Asset Report.
 sub getTemplateVars {
     my $self     = shift;
     my $session  = $self->session;
+    my $db       = $session->db;
 
     my $var      = $self->get;
 
@@ -126,9 +179,9 @@ sub getTemplateVars {
     my $where               = $settings->{where};
     foreach my $key (keys %{$where}) {
         my $clause    = $where->{$key};
-        my $prop      = $clause->{propSelect};
-        my $op        = $clause->{opSelect};
-        my $value     = $clause->{valText};
+        my $prop      = $self->secure_identifier($clause->{propSelect});
+        my $op        = $self->validate_clause($clause->{opSelect});
+        my $value     = $db->quote($clause->{valText});
         
         $rules->{'whereClause'} .= qq{ $condition } if ($key > 1);
         $rules->{'whereClause'} .= qq{$prop $op $value};
@@ -145,8 +198,8 @@ sub getTemplateVars {
         $rules->{'orderByClause'} = undef;
         foreach my $key (@order) {
             my $orderBy     = $order->{$key};
-            my $orderSelect = $orderBy->{orderSelect};
-            my $dirSelect   = $orderBy->{dirSelect};
+            my $orderSelect = $self->secure_identifier($orderBy->{orderSelect});
+            my $dirSelect   = (lc($orderBy->{dirSelect}) eq "desc") ? "DESC" : "ASC";
 
             $rules->{'orderByClause'} .= q{, } if($key > 1);
             $rules->{'orderByClause'} .= qq{$orderSelect $dirSelect};
@@ -177,6 +230,50 @@ sub getTemplateVars {
 
 #----------------------------------------------------------------------------
 
+=head2 secure_identifier ( identifier )
+
+Checks the identifier and passes back a secure string.
+
+=cut
+
+sub secure_identifier {
+    my $self       = shift;
+    my $db         = $self->session->db;
+    my $identifier = shift;
+
+    my @parts      = split(/\./,$identifier);
+    if(scalar(@parts) > 1) {
+        my $table  = $parts[0];
+        my $column = $parts[1];
+        $identifier = $db->dbh->quote_identifier($table).".".$db->dbh->quote_identifier($column);
+    }
+    else {
+        $identifier = $db->dbh->quote_identifier($identifier);
+    }
+    
+    return $identifier;
+} ## end sub view
+
+#----------------------------------------------------------------------------
+
+=head2 validate_clause ( clause )
+
+validates a clause against valid types.  Returns "=" if no match is found.
+
+=cut
+
+sub validate_clause {
+    my $self     = shift;
+    my $clause   = shift;
+    my $ops      = WebGUI::Form::AssetReportQuery->getOps();
+    unless ($ops->{$clause}) {
+        $clause = "=";
+    }
+    return $clause;
+} ## end sub view
+
+#----------------------------------------------------------------------------
+
 =head2 view ( )
 
 method called by the www_view method.  Returns a processed template
diff --git a/www/extras/yui-webgui/build/form/assetReportQuery.js b/www/extras/yui-webgui/build/form/assetReportQuery.js
index 98060bf9a..129c96626 100644
--- a/www/extras/yui-webgui/build/form/assetReportQuery.js
+++ b/www/extras/yui-webgui/build/form/assetReportQuery.js
@@ -359,8 +359,5 @@ YAHOO.util.Event.onDOMReady( function () {
     loadClasses(document.getElementById("className_formId"));
     loadWhereRows(document.getElementById("whereBody"));
     loadOrder(document.getElementById("orderBody"));
-};
-
-
 });