From 459468cc67f4be59f7a2df43eadbfca60703d920 Mon Sep 17 00:00:00 2001 From: Michael Strong Date: Wed, 3 Jun 2015 10:46:35 +1200 Subject: [PATCH] Escape $stage Although I don't *think* this is vulnerable, the $stage variable ultimately comes from a $_GET variable so should be escaped. Without this the security remains weak and could cause issues if the Versioned code is changed. --- code/extensions/BlogFilter.php | 1 + 1 file changed, 1 insertion(+) diff --git a/code/extensions/BlogFilter.php b/code/extensions/BlogFilter.php index 8717a4e..d9db56e 100644 --- a/code/extensions/BlogFilter.php +++ b/code/extensions/BlogFilter.php @@ -23,6 +23,7 @@ class BlogFilter extends Lumberjack { $stage = '_' . $stage; } + $stage = Convert::raw2sql($stage); $dataQuery = $staged->dataQuery() ->innerJoin('BlogPost', sprintf('"BlogPost%s"."ID" = "SiteTree%s"."ID"', $stage, $stage)) ->where(sprintf('"PublishDate" < \'%s\'', Convert::raw2sql(SS_Datetime::now())));