Use a permitted list instead of a ban list.

This should be safer as we are more confident on what is coming in.
This commit is contained in:
mark_story 2017-12-11 13:46:18 -05:00
parent f66dec8a96
commit a9618f67f7
2 changed files with 6 additions and 2 deletions

View file

@ -1033,6 +1033,7 @@ class Controller extends CakeObject implements CakeEventListener {
* included in the returned conditions
* @return array|null An array of model conditions
* @deprecated 3.0.0 Will be removed in 3.0.
* @throws RuntimeException when unsafe operators are found.
*/
public function postConditions($data = array(), $op = null, $bool = 'AND', $exclusive = false) {
if (!is_array($data) || empty($data)) {
@ -1051,7 +1052,7 @@ class Controller extends CakeObject implements CakeEventListener {
$arrayOp = is_array($op);
foreach ($data as $model => $fields) {
foreach ($fields as $field => $value) {
if (preg_match('#[!=><~\&\|\)\(]#', $field)) {
if (preg_match('#[^a-zA-Z0-9_ ]#', $field)) {
throw new RuntimeException("Unsafe operator found in {$model}.{$field}");
}
$key = $model . '.' . $field;

View file

@ -1196,6 +1196,9 @@ class ControllerTest extends CakeTestCase {
array(
array('Model' => array('field OR RAND()' => 1))
),
array(
array('Posts' => array('id IS NULL union all select posts.* from posts where id; --' => 1))
),
);
}