fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-09 03:32:00 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix RVE-2025-1 potential SQL injection via third-party program

Browse source
This commit is contained in:
Kijin Sung 2025-02-16 14:55:40 +09:00
parent ae0e13eca9
commit a208e0dbbc
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
common/framework/parsers/dbquery/Query.php
View file

@ -619,7 +619,7 @@ class Query extends VariableBase
// Get the name of the column or expression to order by. // Get the name of the column or expression to order by.
$column_name = ''; $column_name = '';
list($column_name, $is_expression) = $orderby->getValue($this->_args); list($column_name, $is_expression, $is_default_value) = $orderby->getValue($this->_args);
if (!$column_name) if (!$column_name)
{ {
continue; continue;
@ -628,6 +628,10 @@ class Query extends VariableBase
{ {
$column_name = self::quoteName($column_name); $column_name = self::quoteName($column_name);
} }
elseif (!$is_default_value)
{
continue;
}
// Get the ordering (ASC or DESC). // Get the ordering (ASC or DESC).
if (preg_match('/^(ASC|DESC)$/i', $orderby->order_var ?: '', $matches)) if (preg_match('/^(ASC|DESC)$/i', $orderby->order_var ?: '', $matches))