[webui] Fix hakiri issue: Denial of Service

openSUSE · Aug 25, 2015 · 8a262e5 · 8a262e5
1 parent afcf669
commit 8a262e5
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/api/app/controllers/webui/user_controller.rb b/src/api/app/controllers/webui/user_controller.rb
@@ -95,10 +95,11 @@ def requests
       }
     sorting_field = sortable_fields[params[:iSortCol_0].to_i]
     sorting_field ||= :created_at
-    sorting_dir = params[:sSortDir_0] || :asc
+    sorting_dir = params[:sSortDir_0].to_sym
+    sorting_dir = :asc unless ["asc", "desc"].include?(params[:sSortDir_0])
     @requests = @displayed_user.requests(params[:sSearch])
     @requests_count = @requests.clone.count
-    @requests = @requests.offset(params[:iDisplayStart].to_i).limit(params[:iDisplayLength].to_i).reorder(sorting_field => sorting_dir.to_sym)
+    @requests = @requests.offset(params[:iDisplayStart].to_i).limit(params[:iDisplayLength].to_i).reorder(sorting_field => sorting_dir)
     respond_to do |format|
       # For jquery dataTable
       format.json {