Permalink
Switch branches/tags
Nothing to show
Commits on Jan 3, 2017
  1. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      xPDO 2.5.3-pl
    opengeek committed Jan 3, 2017
  2. xPDO 2.5.3-pl

    opengeek committed Jan 3, 2017
  3. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Make sure xPDOQuery base class is always loaded
    opengeek committed Jan 3, 2017
Commits on Dec 16, 2016
  1. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Update version for 2.5.2 release
      Sanitize and prevent SQLi in getObject calls expecting PK values
    opengeek committed Dec 16, 2016
  2. Sanitize and prevent SQLi in getObject calls expecting PK values

    Also make isValidClause method static in xPDOQuery
    opengeek committed Dec 16, 2016
  3. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Allow empty sort direction
      Revert getCriteria change to force scalar params to be PK values
      Fixing a PHP 7 issue
      Make isValidClause public
    opengeek committed Dec 16, 2016
Commits on Dec 15, 2016
  1. Allow empty sort direction

    Resolves #103
    opengeek committed Dec 15, 2016
  2. Revert getCriteria change to force scalar params to be PK values

    This reverts commit 84decc3 and solves a significant BC break that loads objects by invalid primary keys.
    opengeek committed Dec 15, 2016
Commits on Dec 5, 2016
  1. Make xPDOQuery::isValidClause a public method

    Merge remote-tracking branch 'origin/pr/100' into 2.x
    
    * origin/pr/100:
      Make isValidClause public
    opengeek committed Dec 5, 2016
  2. Change constructor in PclZip to be PHP 7 compatible

    Merge remote-tracking branch 'origin/pr/101' into 2.x
    
    * origin/pr/101:
      Fixing a PHP 7 issue
    opengeek committed Dec 5, 2016
Commits on Nov 28, 2016
  1. Fixing a PHP 7 issue

    Changing the constructor would be no problem (or does xPDO has to be PHP4 compatible)
    
    See modxcms/revolution#13188
    Jako committed on GitHub Nov 28, 2016
Commits on Nov 16, 2016
  1. Make isValidClause public

    I think we should make this method public, because property "query" is public already and we can add anything to it manually.
    
    And it will be better to check clause by built-in xPDO method before this.
    bezumkin committed on GitHub Nov 16, 2016
Commits on Nov 14, 2016
  1. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Force all scalar expressions to be a primary key
      Update changelog
    opengeek committed Nov 14, 2016
  2. Force scalar parameters to be PK values in getCriteria

    Merge branch '2.4.x' into 2.x
    
    * 2.4.x:
      Force all scalar expressions to be a primary key
      Update changelog
    opengeek committed Nov 14, 2016
  3. Force scalar parameters to be PK values in getCriteria

    Merge remote-tracking branch 'origin/pr/99' into 2.4.x
    
    * origin/pr/99:
      Force all scalar expressions to be a primary key
    opengeek committed Nov 14, 2016
  4. Force all scalar expressions to be a primary key

    This is my second attempt to fix possible blind SQL injection in getObject method.
    
    Now it passes tests and must not break any functionality.
    bezumkin committed on GitHub Nov 14, 2016
  5. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Update changelog and build properties for 2.5.1 release
    opengeek committed Nov 14, 2016
  6. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Remove statement causing loop in unit tests
      Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
      Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
      Fix isValidClause check for certain injections
      Revert the breaking change related to xPDOQuery->sortby (067cb74), while keeping the fixes for sort direction and limit.
      Add catch-all SQL Injection Detection to xPDOQuery->prepare
      SQL injections in ORDER BY and LIMIT clauses
    opengeek committed Nov 14, 2016
  7. Update changelog

    opengeek committed Nov 14, 2016
  8. Prevent SQLi in sortby, sort direction, and limit clauses

    Merge branch '2.4.x' into 2.x
    
    * 2.4.x:
      Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
      Revert the breaking change related to xPDOQuery->sortby (067cb74), while keeping the fixes for sort direction and limit.
      Add catch-all SQL Injection Detection to xPDOQuery->prepare
      SQL injections in ORDER BY and LIMIT clauses
    opengeek committed Nov 14, 2016
  9. Prevent SQLi in sortby, sort direction, and limit clauses

    Merge remote-tracking branch 'origin/pr/97' into 2.4.x
    
    * origin/pr/97:
      Revert the breaking change related to xPDOQuery->sortby (067cb74), while keeping the fixes for sort direction and limit.
      Add catch-all SQL Injection Detection to xPDOQuery->prepare
      SQL injections in ORDER BY and LIMIT clauses
    opengeek committed Nov 14, 2016
  10. Detect SQLi clauses when no space exists after UNION

    Merge remote-tracking branch 'origin/pr/98' into 2.4.x
    
    * origin/pr/98:
      Fix isValidClause check for certain injections
    opengeek committed Nov 14, 2016
  11. Detect SQLi clauses when no space exists after UNION

    Merge remote-tracking branch 'origin/pr/98' into 2.x
    
    * origin/pr/98:
      Fix isValidClause check for certain injections
    opengeek committed Nov 14, 2016
  12. Revert "Fix getObject to prevent raw SQL string from being used as PK…

    … criteria"
    
    This reverts commit a17b3bc, reversing
    changes made to 8861b41.
    opengeek committed Nov 14, 2016
  13. Revert "Fix getObject to prevent raw SQL string from being used as PK…

    … criteria"
    
    This reverts commit d2689fd, reversing
    changes made to 0885708.
    opengeek committed Nov 14, 2016
  14. Fix isValidClause check for certain injections

    Notified about issue by Vasily Naumkin. Specific injections using UNION could be used to bypass the check.
    Mark-H committed Nov 14, 2016
  15. Revert the breaking change related to xPDOQuery->sortby (067cb74), wh…

    …ile keeping the fixes for sort direction and limit.
    
    The changes in 067cb74 are causing numerous issues to valid use cases you might see in the wild. With the fix in 910cfdc it's no longer neccessary to prevent the injection, so this can be safely reverted back.
    Mark-H committed Nov 14, 2016
Commits on Nov 13, 2016
  1. Add catch-all SQL Injection Detection to xPDOQuery->prepare

    This ensures that the isValidClause check is run on every single query. This fix would have prevented the sortby/sortdir/limit/offset injection (modxcms/xpdo#97) as well.
    Mark-H committed Nov 13, 2016
  2. SQL injections in ORDER BY and LIMIT clauses

    Following a report from Nikolay Lanets on November 4th, several SQL injections in xPDO have been found and fixed.
    
    When creating a SQL query through an xPDOQuery object (as virtually any core and third party code interacting with the database does), the `sortby` and `limit` methods accepted arbitrary SQL which was not properly sanitised.
    
    While this vulnerability existed within the xPDOQuery object, the original report from Nikolay and further testing shows that it could be exploited without writing and executing arbitrary code. This includes by providing specially crafted arguements to connectors/processors (requiring a valid manager session), or by a snippet call that passes a sort or limit to xPDOQuery directly.
    
    As these are common scenarios that can't reasonably be resolved in each specific calling function, this has been patched at the xPDOQuery level at the cost of a breaking change to extras (and possibly MODX core code) that do rely on the sort accepting abitrary SQL, for example the common approach for sorting resources in a specific order with sort clauses like `FIELD(modResource.id, 1, 2, 3)`. These order clauses will no longer work following this patch, unless the snippet indicates the input should be trusted by calling the `sortbyRaw` method with a value of `true`.
    Mark-H committed Nov 13, 2016
  3. Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Possible fix for blind SQL injection
    opengeek committed Nov 13, 2016
  4. Fix getObject to prevent raw SQL string from being used as PK criteria

    Merge branch '2.4.x' into 2.x
    opengeek committed Nov 13, 2016