mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2024-11-15 03:18:26 +00:00
Use a permitted list instead of a ban list.
This should be safer as we are more confident on what is coming in.
This commit is contained in:
parent
f66dec8a96
commit
a9618f67f7
2 changed files with 6 additions and 2 deletions
|
@ -1033,6 +1033,7 @@ class Controller extends CakeObject implements CakeEventListener {
|
|||
* included in the returned conditions
|
||||
* @return array|null An array of model conditions
|
||||
* @deprecated 3.0.0 Will be removed in 3.0.
|
||||
* @throws RuntimeException when unsafe operators are found.
|
||||
*/
|
||||
public function postConditions($data = array(), $op = null, $bool = 'AND', $exclusive = false) {
|
||||
if (!is_array($data) || empty($data)) {
|
||||
|
@ -1051,7 +1052,7 @@ class Controller extends CakeObject implements CakeEventListener {
|
|||
$arrayOp = is_array($op);
|
||||
foreach ($data as $model => $fields) {
|
||||
foreach ($fields as $field => $value) {
|
||||
if (preg_match('#[!=><~\&\|\)\(]#', $field)) {
|
||||
if (preg_match('#[^a-zA-Z0-9_ ]#', $field)) {
|
||||
throw new RuntimeException("Unsafe operator found in {$model}.{$field}");
|
||||
}
|
||||
$key = $model . '.' . $field;
|
||||
|
|
|
@ -1196,6 +1196,9 @@ class ControllerTest extends CakeTestCase {
|
|||
array(
|
||||
array('Model' => array('field OR RAND()' => 1))
|
||||
),
|
||||
array(
|
||||
array('Posts' => array('id IS NULL union all select posts.* from posts where id; --' => 1))
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue