Fix invalid input for advanced search sort_by by glensc · Pull Request #1255 · eventum/eventum

glensc · 2021-11-09T22:28:36Z

Followup to #1252:

The fix didn't account for custom fields and resulted sql error in case of invalid input, which resulted a 500 page.

The new fix, field is validated against the list from the adv_search template only when not using custom fields:

eventum/templates/adv_search.tpl.html

Lines 155 to 162 in 81fbd07

    
           <label>{t}Sort By{/t}<br /> 
        
           <select name="sort_by"> 
        
             <option value="last_action_date" {if $options.cst_sort_by|default:'' == "last_action_date"}selected{/if}>{t}Last Action Date{/t}</option> 
        
             <option value="pri_rank" {if $options.cst_sort_by|default:'' == "pri_rank"}selected{/if}>{t}Priority{/t}</option> 
        
             <option value="iss_id" {if $options.cst_sort_by|default:'' == "iss_id"}selected{/if}>{t}Issue ID{/t}</option> 
        
             <option value="sta_rank" {if $options.cst_sort_by|default:'' == "sta_rank"}selected{/if}>{t}Status{/t}</option> 
        
             <option value="iss_summary" {if $options.cst_sort_by|default:'' == "iss_summary"}selected{/if}>{t}Summary{/t}</option> 
        
           </select>

Also, the $sort_by is now escaped with quoteIdentifier (method for columns) rather escape (method for values)

This reverts commit b664d35. This reverts commit efdc34d. The fix didn't account for custom fields and resulted sql error in case of invalid input, which resulted a 500 page.

glensc added this to the 3.10.8 milestone Nov 9, 2021

glensc self-assigned this Nov 9, 2021

glensc force-pushed the 1252-followup branch from a7f0cf9 to beaf768 Compare November 9, 2021 22:31

glensc added 7 commits November 10, 2021 01:54

CS: Use strict compare

3bf0e1b

Add deprecation notice to escapeString

835f928

Revert fix for sort_by query

0f4e6d5

This reverts commit b664d35. This reverts commit efdc34d. The fix didn't account for custom fields and resulted sql error in case of invalid input, which resulted a 500 page.

Escape $sort_by with quoteIdentifier not with escapeString

c732276

Validate sort_by against a whitelist

9119c50

Validate sort_by early as in saveSearchParams()

7e63b60

Update changelog

7ba9f19

glensc force-pushed the 1252-followup branch from beaf768 to 7ba9f19 Compare November 9, 2021 23:56

glensc mentioned this pull request Nov 9, 2021

Fix sort_by not being filtered in search form #1252

Merged

glensc merged commit 15f749f into eventum:master Nov 10, 2021

glensc deleted the 1252-followup branch November 10, 2021 00:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix invalid input for advanced search sort_by#1255

Fix invalid input for advanced search sort_by#1255
glensc merged 7 commits intoeventum:masterfrom
glensc:1252-followup

glensc commented Nov 9, 2021

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

	<label>{t}Sort By{/t}<br />
	<select name="sort_by">
	<option value="last_action_date" {if $options.cst_sort_by\|default:'' == "last_action_date"}selected{/if}>{t}Last Action Date{/t}</option>
	<option value="pri_rank" {if $options.cst_sort_by\|default:'' == "pri_rank"}selected{/if}>{t}Priority{/t}</option>
	<option value="iss_id" {if $options.cst_sort_by\|default:'' == "iss_id"}selected{/if}>{t}Issue ID{/t}</option>
	<option value="sta_rank" {if $options.cst_sort_by\|default:'' == "sta_rank"}selected{/if}>{t}Status{/t}</option>
	<option value="iss_summary" {if $options.cst_sort_by\|default:'' == "iss_summary"}selected{/if}>{t}Summary{/t}</option>
	</select>

Uh oh!

Conversation

glensc commented Nov 9, 2021

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant