mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-07-05 09:22:21 +02:00
fixes #1924 protect API user input from SQL injections
This commit is contained in:
@@ -37,6 +37,7 @@ define('ACTIVITY_SYSTEM_THEME', 3);
|
|||||||
|
|
||||||
// Sanity checks
|
// Sanity checks
|
||||||
define('PATTERN_ID', '/^\d+$/');
|
define('PATTERN_ID', '/^\d+$/');
|
||||||
|
define('PATTERN_ORDER', '/^(rand(om)?|[a-z_]+(\s+(asc|desc))?)(\s*,\s*(rand(om)?|[a-z_]+(\s+(asc|desc))?))*$/i');
|
||||||
|
|
||||||
// Table names
|
// Table names
|
||||||
if (!defined('CATEGORIES_TABLE'))
|
if (!defined('CATEGORIES_TABLE'))
|
||||||
|
|||||||
@@ -15,6 +15,11 @@
|
|||||||
*/
|
*/
|
||||||
function ws_groups_getList($params, &$service)
|
function ws_groups_getList($params, &$service)
|
||||||
{
|
{
|
||||||
|
if (!preg_match(PATTERN_ORDER, $params['order']))
|
||||||
|
{
|
||||||
|
return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid input parameter order');
|
||||||
|
}
|
||||||
|
|
||||||
$where_clauses = array('1=1');
|
$where_clauses = array('1=1');
|
||||||
|
|
||||||
if (!empty($params['name']))
|
if (!empty($params['name']))
|
||||||
|
|||||||
@@ -29,6 +29,11 @@ function ws_users_getList($params, &$service)
|
|||||||
{
|
{
|
||||||
global $conf;
|
global $conf;
|
||||||
|
|
||||||
|
if (!preg_match(PATTERN_ORDER, $params['order']))
|
||||||
|
{
|
||||||
|
return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid input parameter order');
|
||||||
|
}
|
||||||
|
|
||||||
$where_clauses = array('1=1');
|
$where_clauses = array('1=1');
|
||||||
|
|
||||||
if (!empty($params['user_id']))
|
if (!empty($params['user_id']))
|
||||||
|
|||||||
@@ -1102,6 +1102,8 @@ function ws_addDefaultMethods( $arr )
|
|||||||
'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
|
'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
|
||||||
'order' => array('default'=>'id',
|
'order' => array('default'=>'id',
|
||||||
'info'=>'id, username, level, email'),
|
'info'=>'id, username, level, email'),
|
||||||
|
'exclude' => array('flags'=>WS_PARAM_OPTIONAL|WS_PARAM_FORCE_ARRAY,
|
||||||
|
'type'=>WS_TYPE_ID),
|
||||||
'display' => array('default'=>'basics',
|
'display' => array('default'=>'basics',
|
||||||
'info'=>'Comma saparated list (see method description)'),
|
'info'=>'Comma saparated list (see method description)'),
|
||||||
),
|
),
|
||||||
|
|||||||
Reference in New Issue
Block a user