[SS-2017-008] Fix SQL injection in full text search

2024-10-22 14:05:37 +02:00 · 2017-11-20 16:53:44 +13:00 · 2017-11-20 16:53:44 +13:00 · 099a5a3c2d
commit 099a5a3c2d
parent d8ca223e15
2 changed files with 11 additions and 11 deletions
--- a/src/ORM/Connect/MySQLDatabase.php
+++ b/src/ORM/Connect/MySQLDatabase.php
@ -2,6 +2,8 @@

 namespace SilverStripe\ORM\Connect;

+use SilverStripe\Assets\File;
+use SilverStripe\CMS\Model\SiteTree;
 use SilverStripe\Core\Config\Configurable;
 use SilverStripe\Core\Convert;
 use SilverStripe\ORM\PaginatedList;
@ -144,7 +146,7 @@ class MySQLDatabase extends Database
     * @param bool $booleanSearch
     * @param string $alternativeFileFilter
     * @param bool $invertedMatch
-     * @return \SilverStripe\ORM\PaginatedList
+     * @return PaginatedList
     * @throws Exception
     */
    public function searchEngine(
@ -158,10 +160,8 @@ class MySQLDatabase extends Database
        $alternativeFileFilter = "",
        $invertedMatch = false
    ) {
-        $pageClass = 'SilverStripe\\CMS\\Model\\SiteTree';
-        $fileClass = 'SilverStripe\\Assets\\File';
-        $pageTable = DataObject::getSchema()->tableName($pageClass);
-        $fileTable = DataObject::getSchema()->tableName($fileClass);
+        $pageClass = SiteTree::class;
+        $fileClass = File::class;
        if (!class_exists($pageClass)) {
            throw new Exception('MySQLDatabase->searchEngine() requires "SiteTree" class');
        }
@ -194,12 +194,13 @@ class MySQLDatabase extends Database

        // File.ShowInSearch was added later, keep the database driver backwards compatible
        // by checking for its existence first
+        $fileTable = DataObject::getSchema()->tableName($fileClass);
        $fields = $this->getSchemaManager()->fieldList($fileTable);
        if (array_key_exists('ShowInSearch', $fields)) {
            $extraFilters[$fileClass] .= " AND ShowInSearch <> 0";
        }

-        $limit = $start . ", " . (int) $pageLength;
+        $limit = (int)$start . ", " . (int)$pageLength;

        $notMatch = $invertedMatch
                ? "NOT "
@ -257,7 +258,6 @@ class MySQLDatabase extends Database
        $queryParameters = array();
        $totalCount = 0;
        foreach ($lists as $class => $list) {
-            $table = DataObject::getSchema()->tableName($class);
            /** @var SQLSelect $query */
            $query = $list->dataQuery()->query();

--- a/src/ORM/PaginatedList.php
+++ b/src/ORM/PaginatedList.php
@ -87,7 +87,7 @@ class PaginatedList extends ListDecorator
     */
    public function setPageLength($length)
    {
-        $this->pageLength = $length;
+        $this->pageLength = (int)$length;
        return $this;
    }

@ -99,7 +99,7 @@ class PaginatedList extends ListDecorator
     */
    public function setCurrentPage($page)
    {
-        $this->pageStart = ($page - 1) * $this->getPageLength();
+        $this->pageStart = ((int)$page - 1) * $this->getPageLength();
        return $this;
    }

@ -134,7 +134,7 @@ class PaginatedList extends ListDecorator
     */
    public function setPageStart($start)
    {
-        $this->pageStart = $start;
+        $this->pageStart = (int)$start;
        return $this;
    }

@ -161,7 +161,7 @@ class PaginatedList extends ListDecorator
     */
    public function setTotalItems($items)
    {
-        $this->totalItems = $items;
+        $this->totalItems = (int)$items;
        return $this;
    }