From 0d1e5ea69b70292c89f827adaefc286fff8318a7 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 18 Feb 2021 15:49:40 +0100 Subject: [PATCH] Bug 27715: Sanitize order by DT params MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit We are not on the safe side when we build the ORDER BY clause from the DataTables parameters. I've started to limit the columns by using Koha::Objects->columns, but for instance for the patron search we need (at least) the columns from the branches, categories and members tables. It seems easier, and still safe, to use a regex. Signed-off-by: Martin Renvoize Signed-off-by: Joonas Kylmälä Signed-off-by: Marcel de Rooy Signed-off-by: Fridolin Somers --- C4/Utils/DataTables.pm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/C4/Utils/DataTables.pm b/C4/Utils/DataTables.pm index 99be4a1cda..18e6c8caa8 100644 --- a/C4/Utils/DataTables.pm +++ b/C4/Utils/DataTables.pm @@ -100,6 +100,11 @@ sub dt_build_orderby { $i++; } + return unless @orderbys; + + # Must be "branches.branchname asc", "borrowers.firstname desc", etc. + @orderbys = grep { /^\w+\.\w+\s(asc|desc)$/ } @orderbys; + $orderby = " ORDER BY " . join(',', @orderbys) . " " if @orderbys; return $orderby; } -- 2.39.5