Patch for potential Sql injection in ORDER()

ezimuel · weierophinney · commit da09186c60b9 · 2014-06-12T11:01:05.000-05:00
diff --git a/library/Zend/Db/Select.php b/library/Zend/Db/Select.php
@@ -601,7 +601,7 @@ public function order($spec)
                     $val = trim($matches[1]);
                     $direction = $matches[2];
                 }
-                if (preg_match('/\(.*\)/', $val)) {
+                if (preg_match('/^[\w]*\(.*\)$/', $val)) {
                     $val = new Zend_Db_Expr($val);
                 }
                 $this->_parts[self::ORDER][] = array($val, $direction);
diff --git a/tests/Zend/Db/Select/TestCommon.php b/tests/Zend/Db/Select/TestCommon.php
@@ -1757,4 +1757,14 @@ public function testJoinUsingUsesAliasOfTableBeingJoinedWhenAliasIsDefined()
         $this->assertRegexp("/ON {$table2_alias}.{$colname}/s", $select->assemble());
     }
 
+    public function testSqlInjectionWithOrder()
+    {
+    	$select = $this->_db->select();
+    	$select->from(array('p' => 'products'))->order('MD5(1);select');
+    	$this->assertEquals($select, 'SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC');
+    	
+    	$select = $this->_db->select();
+    	$select->from(array('p' => 'products'))->order('name;select;MD5(1)');
+    	$this->assertEquals($select, 'SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC');
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -601,7 +601,7 @@ public function order($spec)`
`601`	`601`	`$val = trim($matches[1]);`
`602`	`602`	`$direction = $matches[2];`
`603`	`603`	`}`
`604`		`- if (preg_match('/\(.*\)/', $val)) {`
	`604`	`+ if (preg_match('/^[\w]\(.\)$/', $val)) {`
`605`	`605`	`$val = new Zend_Db_Expr($val);`
`606`	`606`	`}`
`607`	`607`	`$this->_parts[self::ORDER][] = array($val, $direction);`
Original file line number	Diff line number	Diff line change
`@@ -1757,4 +1757,14 @@ public function testJoinUsingUsesAliasOfTableBeingJoinedWhenAliasIsDefined()`
`1757`	`1757`	`$this->assertRegexp("/ON {$table2_alias}.{$colname}/s", $select->assemble());`
`1758`	`1758`	`}`
`1759`	`1759`
	`1760`	`+ public function testSqlInjectionWithOrder()`
	`1761`	`+ {`
	`1762`	`+ $select = $this->_db->select();`
	`1763`	`+ $select->from(array('p' => 'products'))->order('MD5(1);select');`
	`1764`	`+ $this->assertEquals($select, 'SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);select" ASC');`
	`1765`	`+`
	`1766`	`+ $select = $this->_db->select();`
	`1767`	`+ $select->from(array('p' => 'products'))->order('name;select;MD5(1)');`
	`1768`	`+ $this->assertEquals($select, 'SELECT "p".* FROM "products" AS "p" ORDER BY "name;select;MD5(1)" ASC');`
	`1769`	`+ }`
`1760`	`1770`	`}`