Enforce model aliases when generating order by clauses.

Invalid SQL could be created by sorting on an invalid alias, with
a field that exists on the model.

Fixes #3797

lib/Cake/Controller/Component/PaginatorComponent.php

@@ -372,6 +372,7 @@ class PaginatorComponent extends Component {
 			$field = key($options['order']);
 			if (!in_array($field, $whitelist)) {
 				$options['order'] = null;
+				return $options;
 			}
 		}
 
@@ -385,7 +386,7 @@ class PaginatorComponent extends Component {
 				}
 
 				if ($object->hasField($field)) {
-					$order[$alias . '.' . $field] = $value;
+					$order[$object->alias . '.' . $field] = $value;
 				} elseif ($object->hasField($key, true)) {
 					$order[$field] = $value;
 				} elseif (isset($object->{$alias}) && $object->{$alias}->hasField($field, true)) {

lib/Cake/Test/Case/Controller/Component/PaginatorComponentTest.php

@@ -969,10 +969,12 @@ class PaginatorComponentTest extends CakeTestCase {
 		$model->alias = 'model';
 		$model->expects($this->any())->method('hasField')->will($this->returnValue(true));
 
-		$options = array('order' => array(
-			'author_id' => 'asc',
-			'title' => 'asc'
-		));
+		$options = array(
+			'order' => array(
+				'author_id' => 'asc',
+				'title' => 'asc'
+			)
+		);
 		$result = $this->Paginator->validateSort($model, $options);
 		$expected = array(
 			'model.author_id' => 'asc',
@@ -1002,6 +1004,21 @@ class PaginatorComponentTest extends CakeTestCase {
 		$this->assertEquals($options['order'], $result['order']);
 	}
 
+/**
+ * Test sorting with incorrect aliases on valid fields.
+ *
+ * @return void
+ */
+	public function testValidateSortInvalidAlias() {
+		$model = $this->getMock('Model');
+		$model->alias = 'Model';
+		$model->expects($this->any())->method('hasField')->will($this->returnValue(true));
+
+		$options = array('sort' => 'Derp.id');
+		$result = $this->Paginator->validateSort($model, $options);
+		$this->assertEquals(array('Model.id' => 'asc'), $result['order']);
+	}
+
 /**
  * test that maxLimit is respected
  *