fixes #1924 protect API user input from SQL injections

2025-04-29 12:49:57 +03:00 · 2023-05-29 12:25:03 +02:00 · 2023-05-29 12:25:03 +02:00 · 0649ad3245
commit 0649ad3245
parent efc5bcfc85
4 changed files with 13 additions and 0 deletions
--- a/include/constants.php
+++ b/include/constants.php
@ -37,6 +37,7 @@ define('ACTIVITY_SYSTEM_THEME', 3);

 // Sanity checks
 define('PATTERN_ID', '/^\d+$/');
+define('PATTERN_ORDER', '/^(rand(om)?|[a-z_]+(\s+(asc|desc))?)(\s*,\s*(rand(om)?|[a-z_]+(\s+(asc|desc))?))*$/i');

 // Table names
 if (!defined('CATEGORIES_TABLE'))
--- a/include/ws_functions/pwg.groups.php
+++ b/include/ws_functions/pwg.groups.php
@ -15,6 +15,11 @@
 */
 function ws_groups_getList($params, &$service)
 {
+  if (!preg_match(PATTERN_ORDER, $params['order']))
+  {
+    return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid input parameter order');
+  }
+
  $where_clauses = array('1=1');

  if (!empty($params['name']))
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@ -29,6 +29,11 @@ function ws_users_getList($params, &$service)
 {
  global $conf;

+  if (!preg_match(PATTERN_ORDER, $params['order']))
+  {
+    return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid input parameter order');
+  }
+
  $where_clauses = array('1=1');

  if (!empty($params['user_id']))
--- a/ws.php
+++ b/ws.php
@ -1102,6 +1102,8 @@ function ws_addDefaultMethods( $arr )
                              'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
        'order' =>      array('default'=>'id',
                              'info'=>'id, username, level, email'),
+        'exclude' =>    array('flags'=>WS_PARAM_OPTIONAL|WS_PARAM_FORCE_ARRAY,
+                              'type'=>WS_TYPE_ID),
        'display' =>    array('default'=>'basics',
                              'info'=>'Comma saparated list (see method description)'),
        ),