Fix invalid input for advanced search sort_by #1255

glensc · 2021-11-09T22:28:36Z

Followup to #1252:

The fix didn't account for custom fields and resulted sql error in case of invalid input, which resulted a 500 page.

The new fix, field is validated against the list from the adv_search template only when not using custom fields:

eventum/templates/adv_search.tpl.html

Lines 155 to 162 in 81fbd07

    
           <label>{t}Sort By{/t}<br /> 
        
           <select name="sort_by"> 
        
             <option value="last_action_date" {if $options.cst_sort_by|default:'' == "last_action_date"}selected{/if}>{t}Last Action Date{/t}</option> 
        
             <option value="pri_rank" {if $options.cst_sort_by|default:'' == "pri_rank"}selected{/if}>{t}Priority{/t}</option> 
        
             <option value="iss_id" {if $options.cst_sort_by|default:'' == "iss_id"}selected{/if}>{t}Issue ID{/t}</option> 
        
             <option value="sta_rank" {if $options.cst_sort_by|default:'' == "sta_rank"}selected{/if}>{t}Status{/t}</option> 
        
             <option value="iss_summary" {if $options.cst_sort_by|default:'' == "iss_summary"}selected{/if}>{t}Summary{/t}</option> 
        
           </select>

Also, the $sort_by is now escaped with quoteIdentifier (method for columns) rather escape (method for values)

This reverts commit b664d35. This reverts commit efdc34d. The fix didn't account for custom fields and resulted sql error in case of invalid input, which resulted a 500 page.

glensc added this to the 3.10.8 milestone Nov 9, 2021

glensc self-assigned this Nov 9, 2021

glensc force-pushed the 1252-followup branch from a7f0cf9 to beaf768 Compare November 9, 2021 22:31

glensc added 7 commits November 10, 2021 01:54

CS: Use strict compare

3bf0e1b

Add deprecation notice to escapeString

835f928

Revert fix for sort_by query

0f4e6d5

This reverts commit b664d35. This reverts commit efdc34d. The fix didn't account for custom fields and resulted sql error in case of invalid input, which resulted a 500 page.

Escape $sort_by with quoteIdentifier not with escapeString

c732276

Validate sort_by against a whitelist

9119c50

Validate sort_by early as in saveSearchParams()

7e63b60

Update changelog

7ba9f19

glensc force-pushed the 1252-followup branch from beaf768 to 7ba9f19 Compare November 9, 2021 23:56

glensc mentioned this pull request Nov 9, 2021

Fix sort_by not being filtered in search form #1252

Merged

glensc merged commit 15f749f into eventum:master Nov 10, 2021

glensc deleted the 1252-followup branch November 10, 2021 00:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix invalid input for advanced search sort_by #1255

Fix invalid input for advanced search sort_by #1255

glensc commented Nov 9, 2021

	<label>{t}Sort By{/t}<br />
	<select name="sort_by">
	<option value="last_action_date" {if $options.cst_sort_by\|default:'' == "last_action_date"}selected{/if}>{t}Last Action Date{/t}</option>
	<option value="pri_rank" {if $options.cst_sort_by\|default:'' == "pri_rank"}selected{/if}>{t}Priority{/t}</option>
	<option value="iss_id" {if $options.cst_sort_by\|default:'' == "iss_id"}selected{/if}>{t}Issue ID{/t}</option>
	<option value="sta_rank" {if $options.cst_sort_by\|default:'' == "sta_rank"}selected{/if}>{t}Status{/t}</option>
	<option value="iss_summary" {if $options.cst_sort_by\|default:'' == "iss_summary"}selected{/if}>{t}Summary{/t}</option>
	</select>

Fix invalid input for advanced search sort_by #1255

Fix invalid input for advanced search sort_by #1255

Conversation

glensc commented Nov 9, 2021