[SS-2018-016] Group table name is escaped to prevent possibility of SQL injection

2018-07-16 11:22:58 +12:00 · 2018-07-16 11:22:58 +12:00 · 4b6804eaab
parent 7e1c2eb0aa
commit 4b6804eaab
1 changed files with 1 additions and 1 deletions
--- a/src/Extensions/GroupSubsites.php
+++ b/src/Extensions/GroupSubsites.php
@ -47,7 +47,7 @@ class GroupSubsites extends DataExtension implements PermissionProvider
        }
        // Migration for Group.SubsiteID data from when Groups only had a single subsite
        $schema = DataObject::getSchema();
-        $groupTable = $schema->tableName(Group::class);
+        $groupTable = Convert::raw2sql($schema->tableName(Group::class));
        $groupFields = DB::field_list($groupTable);

        // Detection of SubsiteID field is the trigger for old-style-subsiteID migration