From 87d92f823b08b91a0aeb522284537c8afcdb8aba Mon Sep 17 00:00:00 2001
From: Leo Feyer <github@contao.org>
Date: Tue, 30 Apr 2019 08:26:48 +0200
Subject: [PATCH] Prevent SQL injections in the file manager search (see
 CVE-2019-11512)

---
 CHANGELOG.md                                           | 1 +
 core-bundle/src/Resources/contao/drivers/DC_Folder.php | 6 ++----
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7e5fc43ea76..dd4319cdcf5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## DEV
 
+ * Prevent SQL injections in the file manager search (see CVE-2019-11512).
  * Correctly handle dates in the news bundle (see #436).
  * Also show future news items if the "show all news items" option is selected (see #419).
 
diff --git a/core-bundle/src/Resources/contao/drivers/DC_Folder.php b/core-bundle/src/Resources/contao/drivers/DC_Folder.php
index 0f5da0bed85..b0b7959d55e 100644
--- a/core-bundle/src/Resources/contao/drivers/DC_Folder.php
+++ b/core-bundle/src/Resources/contao/drivers/DC_Folder.php
@@ -2769,15 +2769,14 @@ protected function searchMenu()
 		// Store search value in the current session
 		if (\Input::post('FORM_SUBMIT') == 'tl_filters')
 		{
-			$strField = \Input::post('tl_field', true);
 			$strKeyword = ltrim(\Input::postRaw('tl_value'), '*');
 
 			// Make sure the regular expression is valid
-			if ($strKeyword != '')
+			if ($strKeyword)
 			{
 				try
 				{
-					$this->Database->prepare("SELECT * FROM " . $this->strTable . " WHERE " . $strField . " REGEXP ?")
+					$this->Database->prepare("SELECT * FROM " . $this->strTable . " WHERE name REGEXP ?")
 								   ->limit(1)
 								   ->execute($strKeyword);
 				}
@@ -2787,7 +2786,6 @@ protected function searchMenu()
 				}
 			}
 
-			$session['search'][$this->strTable]['field'] = $strField;
 			$session['search'][$this->strTable]['value'] = $strKeyword;
 
 			$objSessionBag->replace($session);