Permalink
Commits on Nov 14, 2016
  1. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Force all scalar expressions to be a primary key
      Update changelog
    opengeek committed Nov 14, 2016
  2. Force scalar parameters to be PK values in getCriteria

    Merge branch '2.4.x' into 2.x
    
    * 2.4.x:
      Force all scalar expressions to be a primary key
      Update changelog
    opengeek committed Nov 14, 2016
  3. Force scalar parameters to be PK values in getCriteria

    Merge remote-tracking branch 'origin/pr/99' into 2.4.x
    
    * origin/pr/99:
      Force all scalar expressions to be a primary key
    opengeek committed Nov 14, 2016
  4. Force all scalar expressions to be a primary key

    This is my second attempt to fix possible blind SQL injection in getObject method.
    
    Now it passes tests and must not break any functionality.
    bezumkin committed on GitHub Nov 14, 2016
  5. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Update changelog and build properties for 2.5.1 release
    opengeek committed Nov 14, 2016
  6. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Remove statement causing loop in unit tests
      Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
      Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
      Fix isValidClause check for certain injections
      Revert the breaking change related to xPDOQuery->sortby (067cb74), while keeping the fixes for sort direction and limit.
      Add catch-all SQL Injection Detection to xPDOQuery->prepare
      SQL injections in ORDER BY and LIMIT clauses
    opengeek committed Nov 14, 2016
  7. Update changelog

    opengeek committed Nov 14, 2016
  8. Prevent SQLi in sortby, sort direction, and limit clauses

    Merge branch '2.4.x' into 2.x
    
    * 2.4.x:
      Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
      Revert the breaking change related to xPDOQuery->sortby (067cb74), while keeping the fixes for sort direction and limit.
      Add catch-all SQL Injection Detection to xPDOQuery->prepare
      SQL injections in ORDER BY and LIMIT clauses
    opengeek committed Nov 14, 2016
  9. Prevent SQLi in sortby, sort direction, and limit clauses

    Merge remote-tracking branch 'origin/pr/97' into 2.4.x
    
    * origin/pr/97:
      Revert the breaking change related to xPDOQuery->sortby (067cb74), while keeping the fixes for sort direction and limit.
      Add catch-all SQL Injection Detection to xPDOQuery->prepare
      SQL injections in ORDER BY and LIMIT clauses
    opengeek committed Nov 14, 2016
  10. Detect SQLi clauses when no space exists after UNION

    Merge remote-tracking branch 'origin/pr/98' into 2.4.x
    
    * origin/pr/98:
      Fix isValidClause check for certain injections
    opengeek committed Nov 14, 2016
  11. Detect SQLi clauses when no space exists after UNION

    Merge remote-tracking branch 'origin/pr/98' into 2.x
    
    * origin/pr/98:
      Fix isValidClause check for certain injections
    opengeek committed Nov 14, 2016
  12. Revert "Fix getObject to prevent raw SQL string from being used as PK…

    … criteria"
    
    This reverts commit a17b3bc, reversing
    changes made to 8861b41.
    opengeek committed Nov 14, 2016
  13. Revert "Fix getObject to prevent raw SQL string from being used as PK…

    … criteria"
    
    This reverts commit d2689fd, reversing
    changes made to 0885708.
    opengeek committed Nov 14, 2016
  14. Fix isValidClause check for certain injections

    Notified about issue by Vasily Naumkin. Specific injections using UNION could be used to bypass the check.
    Mark-H committed Nov 14, 2016
  15. Revert the breaking change related to xPDOQuery->sortby (067cb74), wh…

    …ile keeping the fixes for sort direction and limit.
    
    The changes in 067cb74 are causing numerous issues to valid use cases you might see in the wild. With the fix in 910cfdc it's no longer neccessary to prevent the injection, so this can be safely reverted back.
    Mark-H committed Nov 14, 2016
Commits on Nov 13, 2016
  1. Add catch-all SQL Injection Detection to xPDOQuery->prepare

    This ensures that the isValidClause check is run on every single query. This fix would have prevented the sortby/sortdir/limit/offset injection (modxcms/xpdo#97) as well.
    Mark-H committed Nov 13, 2016
  2. SQL injections in ORDER BY and LIMIT clauses

    Following a report from Nikolay Lanets on November 4th, several SQL injections in xPDO have been found and fixed.
    
    When creating a SQL query through an xPDOQuery object (as virtually any core and third party code interacting with the database does), the `sortby` and `limit` methods accepted arbitrary SQL which was not properly sanitised.
    
    While this vulnerability existed within the xPDOQuery object, the original report from Nikolay and further testing shows that it could be exploited without writing and executing arbitrary code. This includes by providing specially crafted arguements to connectors/processors (requiring a valid manager session), or by a snippet call that passes a sort or limit to xPDOQuery directly.
    
    As these are common scenarios that can't reasonably be resolved in each specific calling function, this has been patched at the xPDOQuery level at the cost of a breaking change to extras (and possibly MODX core code) that do rely on the sort accepting abitrary SQL, for example the common approach for sorting resources in a specific order with sort clauses like `FIELD(modResource.id, 1, 2, 3)`. These order clauses will no longer work following this patch, unless the snippet indicates the input should be trusted by calling the `sortbyRaw` method with a value of `true`.
    Mark-H committed Nov 13, 2016
  3. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Possible fix for blind SQL injection
    opengeek committed Nov 13, 2016
  4. Fix getObject to prevent raw SQL string from being used as PK criteria

    Merge branch '2.4.x' into 2.x
    opengeek committed Nov 13, 2016
  5. Fix getObject to prevent raw SQL string from being used as PK criteria

    Merge remote-tracking branch 'origin/pr/96' into 2.4.x
    
    * origin/pr/96:
      Possible fix for blind SQL injection
    opengeek committed Nov 13, 2016
  6. Possible fix for blind SQL injection

    For now, if there is a string when you get an object, this string will be got as an criteria for SQL query. So, if you want just ti get and object with primary key, but not filter a user request enough, there could be a blind SQL injection.
    
    This fix will force all conditions to be an:
    1. primary key
    2. array with keys and values for query
    3. or xPDOQuery
    
    So no RAW SQL queries could be made with `getObject` call.
    bezumkin committed on GitHub Nov 13, 2016
Commits on Feb 3, 2016
  1. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      xPDO 2.5.0-pl
      Finally fixing the thing properly... (Loud Sigh)
      Ugh! Fixing problem with debug_backtrace call for real this time
      Fix problem with debug_backtrace call in >=5.3.6,<5.4
      Add changelog for optimized/improved logging
      Optimize xPDO->_log() method to avoid unnecessary processing
      Fix defining single/multiple primary key by "index" node
      Added usage of debug_backtrace in _log()
      Update changelog in prep for 2.5.0 release
      Added new logTarget ARRAY_EXTENDED
      Fix undefined index notice for model indexes
    opengeek committed Feb 3, 2016
  2. xPDO 2.5.0-pl

    opengeek committed Feb 3, 2016
Commits on Feb 1, 2016
  1. Populate file in log from debug_backtrace if not provided

    Merge remote-tracking branch 'origin/pr/87' into pr/87
    
    * origin/pr/87:
      Added usage of debug_backtrace in _log()
    opengeek committed Feb 1, 2016
Commits on Jan 29, 2016
  1. Fix undefined index notice for model indexes

    Merge remote-tracking branch 'origin/pr/76' into 2.4.x
    
    * origin/pr/76:
      Fix undefined index notice for model indexes
    opengeek committed Jan 29, 2016
  2. Fix undefined index notice for model indexes

    Merge remote-tracking branch 'origin/pr/76' into 2.x
    
    * origin/pr/76:
      Fix undefined index notice for model indexes
    opengeek committed Jan 29, 2016
Commits on Jan 28, 2016
  1. Added usage of debug_backtrace in _log()

    Christian Seel committed Jan 28, 2016