Fix options['order'] also being vulnerable to injection attacks.

cakephp · Jun 25, 2013 · 51beab4 · 51beab4
1 parent f2c9639
commit 51beab4
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/cake/libs/controller/controller.php b/cake/libs/controller/controller.php
@@ -1114,6 +1114,11 @@ function paginate($object = null, $scope = array(), $whitelist = array()) {
 			$options['limit'] = $options['show'];
 		}
 
+		if (isset($options['order']) && empty($options['sort'])) {
+			$options['sort'] = $options['order'];
+			unset($options['order']);
+		}
+
 		if (isset($options['sort'])) {
 			$direction = null;
 			if (isset($options['direction'])) {