Fix TYPO3-EXT-SA-2015-021: SQL Injection

Handle all user-input which is passed as WHERE or ORDER statement to exec_SELECTquery using fullQuoteStr or explicit value checks.
mback2k · Dec 15, 2015 · 429f50f · 429f50f
1 parent 7ad9f0e
commit 429f50f
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/mod1/index.php b/mod1/index.php
@@ -204,12 +204,14 @@ function moduleContent()	{
 				';
 
 				if (t3lib_div::_GP('block_ip')) {
-					$where = "block_ip = '". t3lib_div::_GP('block_ip') ."'";
+					$where = 'block_ip = '. $GLOBALS['TYPO3_DB']->fullQuoteStr(t3lib_div::_GP('block_ip'), 'tx_mhhttpbl_blocklog');
 				} else {
 					$where = '';
 				}
 				if (t3lib_div::_GP('sort') && t3lib_div::_GP('order')) {
-					$order = t3lib_div::_GP('sort').' '.strtoupper(t3lib_div::_GP('order'));
+					$sort_param = in_array(t3lib_div::_GP('sort'), array('tstamp', 'block_ip', 'block_type', 'block_score')) ? t3lib_div::_GP('sort') : 'tstamp';
+					$order_param = strtoupper(t3lib_div::_GP('order')) == 'ASC' ? 'ASC' : 'DESC';
+					$order = $sort_param.' '.$order_param;
 				} else {
 					$order = 'tstamp DESC';
 				}
@@ -240,7 +242,8 @@ function moduleContent()	{
 			break;
 			case 2:
 				if (t3lib_div::_GP('whitelist_add')) {
-					$GLOBALS['TYPO3_DB']->exec_INSERTquery('tx_mhhttpbl_whitelist', array('cruser_id'=>$BE_USER->user['uid'], 'crdate'=>time(), 'tstamp'=>time(), 'whitelist_ip'=>implode('.', t3lib_div::_GP('whitelist_ip'))));
+					$whitelist_ip = implode('.', array_map('intval', t3lib_div::_GP('whitelist_ip')));
+					$GLOBALS['TYPO3_DB']->exec_INSERTquery('tx_mhhttpbl_whitelist', array('cruser_id'=>$BE_USER->user['uid'], 'crdate'=>time(), 'tstamp'=>time(), 'whitelist_ip'=>$whitelist_ip));
 				} else if (t3lib_div::_GP('delete')) {
 					$GLOBALS['TYPO3_DB']->exec_DELETEquery('tx_mhhttpbl_whitelist', 'uid = '.intval(t3lib_div::_GP('delete')));
 				}
@@ -275,7 +278,9 @@ function moduleContent()	{
 				';
 
 				if (t3lib_div::_GP('sort') && t3lib_div::_GP('order')) {
-					$order = t3lib_div::_GP('sort').' '.strtoupper(t3lib_div::_GP('order'));
+					$sort_param = in_array(t3lib_div::_GP('sort'), array('tstamp', 'whitelist_ip')) ? t3lib_div::_GP('sort') : 'tstamp';
+					$order_param = strtoupper(t3lib_div::_GP('order')) == 'ASC' ? 'ASC' : 'DESC';
+					$order = $sort_param.' '.$order_param;
 				} else {
 					$order = 'tstamp DESC';
 				}
@@ -312,7 +317,9 @@ function moduleContent()	{
 				';
 
 				if (t3lib_div::_GP('sort') && t3lib_div::_GP('order')) {
-					$order = t3lib_div::_GP('sort').' '.strtoupper(t3lib_div::_GP('order'));
+					$sort_param = in_array(t3lib_div::_GP('sort'), array('block_ip', 'count')) ? t3lib_div::_GP('sort') : 'count';
+					$order_param = strtoupper(t3lib_div::_GP('order')) == 'ASC' ? 'ASC' : 'DESC';
+					$order = $sort_param.' '.$order_param;
 				} else {
 					$order = 'count DESC';
 				}