[geeklog-cvs] geeklog: Fixed sql injection exploit with the listfactory class

[geeklog-cvs at lists.geeklog.net]

details:   http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/5bd37d01b2d5
changeset: 6879:5bd37d01b2d5
user:      Sami Barakat
date:      Tue Mar 31 00:30:44 2009 +0100
description:
Fixed sql injection exploit with the listfactory class

diffstat:

1 file changed, 6 insertions(+), 2 deletions(-)
system/classes/listfactory.class.php |    8 ++++++--

diffs (25 lines):

diff -r f0fc9736cfc6 -r 5bd37d01b2d5 system/classes/listfactory.class.php
--- a/system/classes/listfactory.class.php	Mon Mar 30 13:14:42 2009 +0200
+++ b/system/classes/listfactory.class.php	Tue Mar 31 00:30:44 2009 +0100
@@ -354,7 +354,11 @@
     {
         // Get the details for sorting the list
         $this->_sort_arr['field'] = isset($_REQUEST['order']) ? COM_applyFilter($_REQUEST['order']) : $this->_def_sort_arr['field'];
-        $this->_sort_arr['direction'] = isset($_REQUEST['direction']) ? COM_applyFilter($_REQUEST['direction']) : $this->_def_sort_arr['direction'];
+        if (isset($_REQUEST['direction']))
+            $this->_sort_arr['direction'] = $_REQUEST['direction'] == 'asc' ? 'asc' : 'desc';
+        else
+            $this->_sort_arr['direction'] = $this->_def_sort_arr['direction'];
+
         if (is_numeric($this->_sort_arr['field']))
         {
             $ord = $this->_def_sort_arr['field'];
@@ -364,7 +368,7 @@
         {
             $ord = $this->_sort_arr['field'];
         }
-        $order_sql = ' ORDER BY ' . $ord . ' ' . strtoupper($this->_sort_arr['direction']);
+        $order_sql = ' ORDER BY "' . addslashes($ord) . '" ' . strtoupper($this->_sort_arr['direction']);
 
         $this->_page = isset($_REQUEST['page']) ? COM_applyFilter($_REQUEST['page'], true) : 1;
         if (isset($_REQUEST['results'])) {