validate sql_search and sql_orderby API parameters, set version to 0.10.34 for security release
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
@@ -723,7 +723,7 @@ opcache.validate_timestamps'),
|
||||
('panel', 'logo_image_login', ''),
|
||||
('panel', 'logo_overridetheme', '0'),
|
||||
('panel', 'logo_overridecustom', '0'),
|
||||
('panel', 'version', '0.10.33'),
|
||||
('panel', 'version', '0.10.34'),
|
||||
('panel', 'db_version', '202112310');
|
||||
|
||||
|
||||
|
||||
@@ -970,3 +970,8 @@ if (\Froxlor\Froxlor::isFroxlorVersion('0.10.32')) {
|
||||
showUpdateStep("Updating from 0.10.32 to 0.10.33", false);
|
||||
\Froxlor\Froxlor::updateToVersion('0.10.33');
|
||||
}
|
||||
|
||||
if (\Froxlor\Froxlor::isFroxlorVersion('0.10.33')) {
|
||||
showUpdateStep("Updating from 0.10.33 to 0.10.34", false);
|
||||
\Froxlor\Froxlor::updateToVersion('0.10.34');
|
||||
}
|
||||
|
||||
@@ -297,6 +297,10 @@ abstract class ApiCommand extends ApiParameter
|
||||
$sortfield[$id] = $sfield;
|
||||
}
|
||||
$field = implode('.', $sortfield);
|
||||
if (preg_match('/^([a-z0-9\-\._`]+)$/i', $field) == false) {
|
||||
// skip
|
||||
continue;
|
||||
}
|
||||
if (! $first) {
|
||||
$condition .= ' AND ';
|
||||
}
|
||||
@@ -313,6 +317,14 @@ abstract class ApiCommand extends ApiParameter
|
||||
} elseif (strtolower($valoper['op']) == 'in' && is_array($valoper['value']) && count($valoper['value']) > 0) {
|
||||
$condition .= $field . ' ' . $valoper['op'] . ' (';
|
||||
foreach ($valoper['value'] as $incnt => $invalue) {
|
||||
if (!is_numeric($incnt)) {
|
||||
// skip
|
||||
continue;
|
||||
}
|
||||
if (!empty($invalue) && preg_match('/^([a-z0-9\-\._`]+)$/i', $invalue) == false) {
|
||||
// skip
|
||||
continue;
|
||||
}
|
||||
$condition .= ":" . $cleanfield . $incnt . ", ";
|
||||
$query_fields[':' . $cleanfield . $incnt] = $invalue ?? '';
|
||||
}
|
||||
@@ -398,6 +410,10 @@ abstract class ApiCommand extends ApiParameter
|
||||
$sortfield[$id] = $sfield;
|
||||
}
|
||||
$field = implode('.', $sortfield);
|
||||
if (preg_match('/^([a-z0-9\-\._`]+)$/i', $field) == false) {
|
||||
// skip
|
||||
continue;
|
||||
}
|
||||
$by = strtoupper($by);
|
||||
if (! in_array($by, [
|
||||
'ASC',
|
||||
@@ -423,6 +439,7 @@ abstract class ApiCommand extends ApiParameter
|
||||
return $order;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* return logger instance
|
||||
*
|
||||
|
||||
@@ -7,7 +7,7 @@ final class Froxlor
|
||||
{
|
||||
|
||||
// Main version variable
|
||||
const VERSION = '0.10.33';
|
||||
const VERSION = '0.10.34';
|
||||
|
||||
// Database version (YYYYMMDDC where C is a daily counter)
|
||||
const DBVERSION = '202112310';
|
||||
|
||||
@@ -410,7 +410,7 @@ $lng['admin']['ipsandports']['port'] = 'Port';
|
||||
|
||||
// ADDED IN 1.2.13-rc3
|
||||
|
||||
$lng['error']['cantchangesystemip'] = 'Sie können die letzte System-IP-Adresse nicht löschen. Entweder legen Sie eine neue IP/Port-Kombination an oder Sie ändern die System-IP-Adresse.';
|
||||
$lng['error']['cantchangesystemip'] = 'Sie können die letzte System-IP-Adresse nicht ändern. Entweder legen Sie eine neue IP/Port-Kombination an oder Sie ändern die System-IP-Adresse.';
|
||||
$lng['question']['admin_domain_reallydocrootoutofcustomerroot'] = 'Sind Sie sicher, dass der DocumentRoot dieser Domain außerhalb des Heimatverzeichnisses des Kunden liegen soll?';
|
||||
|
||||
// ADDED IN 1.2.14-rc1
|
||||
|
||||
Reference in New Issue
Block a user