Merge pull request #8468 from dotCMS/card-571-v2-sql-injection

card-571-call-sort-method
dotCMS · Jan 4, 2016 · f460340 · f460340
2 parents 4f4e58a + e47e140
commit f460340
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 9 deletions.
diff --git a/src/com/dotmarketing/factories/InodeFactory.java b/src/com/dotmarketing/factories/InodeFactory.java
@@ -1442,7 +1442,7 @@ public static java.util.List getInodesOfClassByConditionAndOrderBy(Class c, Stri
 			throw new DotStateException("Identifiers are no longer Inodes!");
 		}
 
-		orderby = SQLUtil.sanitizeParameter(orderby);
+		orderby = SQLUtil.sanitizeSortBy(orderby);
 		direction = SQLUtil.sanitizeParameter(direction);
 
 		try {

diff --git a/src/com/dotmarketing/factories/WebAssetFactory.java b/src/com/dotmarketing/factories/WebAssetFactory.java
@@ -890,7 +890,7 @@ else if(list.size() < internalLimit)
 	@SuppressWarnings("unchecked")
 	public static List<WebAsset> getAssetsWorkingWithPermission(Class c, int limit,
 			int offset, String orderby, String parent, User user) {
-		orderby = SQLUtil.sanitizeParameter(orderby);
+		orderby = SQLUtil.sanitizeSortBy(orderby);
 		parent = SQLUtil.sanitizeParameter(parent);
 
 		HibernateUtil dh = new HibernateUtil(c);
@@ -2033,7 +2033,7 @@ public PaginatedArrayList<PermissionAsset> getAssetsAndPermissions(String hostId
 
 		parent = SQLUtil.sanitizeParameter(parent);
 		query = SQLUtil.sanitizeParameter(query);
-		orderBy = SQLUtil.sanitizeParameter(orderBy);
+		orderBy = SQLUtil.sanitizeSortBy(orderBy);
 
 		AssetType type = AssetType.getObject(tableName.toUpperCase());
 		java.util.List<? extends Permissionable> elements = null;

diff --git a/src/com/dotmarketing/portlets/categories/business/CategoryFactoryImpl.java b/src/com/dotmarketing/portlets/categories/business/CategoryFactoryImpl.java
@@ -271,7 +271,7 @@ protected List<Category> getChildren(Categorizable parent) throws DotDataExcepti
 	@Override
 	protected List<Category> getChildren(Categorizable parent, String orderBy)
 	throws DotDataException {
-		orderBy = SQLUtil.sanitizeParameter(orderBy);
+		orderBy = SQLUtil.sanitizeSortBy(orderBy);
 		HibernateUtil hu = new HibernateUtil(Category.class);
 		hu.setSQLQuery("select {category.*} from inode category_1_, category, tree where " +
 				"category.inode = tree.child and tree.parent = ? and category_1_.inode = category.inode " +
@@ -284,7 +284,7 @@ protected List<Category> getChildren(Categorizable parent, String orderBy)
 	@Override
 	protected List<Category> getChildren(Categorizable parent, String orderBy,
 			String relationType) throws DotDataException {
-		orderBy = SQLUtil.sanitizeParameter(orderBy);
+		orderBy = SQLUtil.sanitizeSortBy(orderBy);
 
 		if(!UtilMethods.isSet(orderBy))
 			orderBy = "tree_order";
@@ -485,7 +485,7 @@ protected List<Category> findTopLevelCategories() throws DotDataException {
 	@Override
 	protected List<Category> findTopLevelCategoriesByFilter(String filter, String sort) throws DotDataException {
 		filter = SQLUtil.sanitizeParameter(filter);
-		sort = SQLUtil.sanitizeParameter(sort);
+		sort = SQLUtil.sanitizeSortBy(sort);
 		HibernateUtil dh = new HibernateUtil(Category.class);
 		StringBuilder sql = new StringBuilder();
 		sql.append("SELECT {category.*} from category category left join tree tree on category.inode = tree.child, ");
@@ -535,7 +535,7 @@ protected void deleteChildren(String inode) {
 	protected List<Category> findChildrenByFilter(String inode, String filter, String sort) throws DotDataException {
 		inode = SQLUtil.sanitizeParameter(inode);
 		filter = SQLUtil.sanitizeParameter(filter);
-		sort = SQLUtil.sanitizeParameter(sort);
+		sort = SQLUtil.sanitizeSortBy(sort);
 
 		HibernateUtil dh = new HibernateUtil(Category.class);
 		StringBuilder sql = new StringBuilder();
@@ -549,7 +549,7 @@ protected List<Category> findChildrenByFilter(String inode, String filter, Strin
 
 	private String getFilterAndSortSQL(String filter, String sort) {
 		filter = SQLUtil.sanitizeParameter(filter);
-		sort = SQLUtil.sanitizeParameter(sort);
+		sort = SQLUtil.sanitizeSortBy(sort);
 
 		StringBuilder sb = new StringBuilder();
 

diff --git a/src/com/dotmarketing/tag/business/TagAPIImpl.java b/src/com/dotmarketing/tag/business/TagAPIImpl.java
@@ -126,7 +126,7 @@ public java.util.List<Tag> getTagByUser(String userId) {
 	public java.util.List<Tag> getFilteredTags(String tagName, String hostFilter, boolean globalTagsFilter, String sort, int start, int count) {
         try {
 
-			sort = SQLUtil.sanitizeParameter(sort);
+			sort = SQLUtil.sanitizeSortBy(sort);
 
         	HibernateUtil dh = new HibernateUtil(Tag.class);
         	List list = new java.util.ArrayList();