validate sql_search and sql_orderby API parameters, fix unit-tests as of new default skin is 'Froxlor'
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
@@ -290,6 +290,10 @@ abstract class ApiCommand extends ApiParameter
|
||||
foreach ($search as $field => $valoper) {
|
||||
if ($field == '_plainsql') {
|
||||
if (isset($valoper['sql']) && isset($valoper['values']) && is_array($valoper['values'])) {
|
||||
if (preg_match('/^([a-z0-9\-\.,=\+_`\(\)\:\'\"\!\<\>\ ]+)$/i', $valoper['sql']) == false) {
|
||||
// skip
|
||||
continue;
|
||||
}
|
||||
$condition .= $valoper['sql'];
|
||||
foreach ($valoper['values'] as $var => $value) {
|
||||
$query_fields[':' . $var] = $value;
|
||||
@@ -308,6 +312,10 @@ abstract class ApiCommand extends ApiParameter
|
||||
$sortfield[$id] = $sfield;
|
||||
}
|
||||
$field = implode('.', $sortfield);
|
||||
if (preg_match('/^([a-z0-9\-\._`]+)$/i', $field) == false) {
|
||||
// skip
|
||||
continue;
|
||||
}
|
||||
if (!$first) {
|
||||
$condition .= ' AND ';
|
||||
}
|
||||
@@ -324,6 +332,14 @@ abstract class ApiCommand extends ApiParameter
|
||||
} elseif (strtolower($valoper['op']) == 'in' && is_array($valoper['value']) && count($valoper['value']) > 0) {
|
||||
$condition .= $field . ' ' . $valoper['op'] . ' (';
|
||||
foreach ($valoper['value'] as $incnt => $invalue) {
|
||||
if (!is_numeric($incnt)) {
|
||||
// skip
|
||||
continue;
|
||||
}
|
||||
if (!empty($invalue) && preg_match('/^([a-z0-9\-\._`]+)$/i', $invalue) == false) {
|
||||
// skip
|
||||
continue;
|
||||
}
|
||||
$condition .= ":" . $cleanfield . $incnt . ", ";
|
||||
$query_fields[':' . $cleanfield . $incnt] = $invalue ?? '';
|
||||
}
|
||||
@@ -410,6 +426,10 @@ abstract class ApiCommand extends ApiParameter
|
||||
$sortfield[$id] = $sfield;
|
||||
}
|
||||
$field = implode('.', $sortfield);
|
||||
if (preg_match('/^([a-z0-9\-\._`]+)$/i', $field) == false) {
|
||||
// skip
|
||||
continue;
|
||||
}
|
||||
$by = strtoupper($by);
|
||||
if (!in_array($by, [
|
||||
'ASC',
|
||||
|
||||
@@ -320,7 +320,7 @@ class AdminsTest extends TestCase
|
||||
'def_language' => 'English'
|
||||
))->update();
|
||||
$result = json_decode($json_result, true)['data'];
|
||||
$this->assertEquals('Sparkle', $result['theme']);
|
||||
$this->assertEquals('Froxlor', $result['theme']);
|
||||
$this->assertEquals('English', $result['def_language']);
|
||||
}
|
||||
|
||||
|
||||
@@ -195,7 +195,7 @@ class CustomersTest extends TestCase
|
||||
$this->assertEquals('team@froxlor.org', $result['email']);
|
||||
$this->assertEquals(1337, $result['customernumber']);
|
||||
$this->assertEquals(15, $result['subdomains']);
|
||||
$this->assertEquals('Sparkle', $result['theme']);
|
||||
$this->assertEquals('Froxlor', $result['theme']);
|
||||
$this->assertEquals('', $result['custom_notes']);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user