mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
BUGFIX Fixed possible SQL injection in file name part for File::find()
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@73437 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
3973a6a47e
commit
4513631a54
@ -70,7 +70,8 @@ class File extends DataObject {
|
||||
|
||||
foreach($parts as $part) {
|
||||
if($part == "assets" && !$parentID) continue;
|
||||
$item = DataObject::get_one('File', "Name = '$part' AND ParentID = $parentID");
|
||||
$SQL_part = Convert::raw2sql($part);
|
||||
$item = DataObject::get_one('File', "Name = '$SQL_part' AND ParentID = $parentID");
|
||||
if(!$item) break;
|
||||
$parentID = $item->ID;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user