mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improve order validation in list_devices function to prevent SQL injection (#15885)

Browse Source
This commit is contained in:
Jellyfrog
2024-04-16 17:38:17 +02:00
committed by GitHub
parent 36dc9d3c05
commit 83fe4b10c4
1 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
includes/html/api_functions.inc.php
View File

@@ -313,12 +313,10 @@ function list_devices(Illuminate\Http\Request $request)
$query = $request->get('query');
$param = [];
if (empty($order)) {
$order = 'hostname';
}
if (stristr($order, ' desc') === false && stristr($order, ' asc') === false) {
$order = 'd.`' . $order . '` ASC';
if (preg_match('/^([a-z_]+)(?: (desc|asc))?$/i', $order, $matches)) {
$order = "d.`$matches[1]` " . ($matches[2] ?? 'ASC');
} else {
$order = 'd.`hostname` ASC';
}
$select = ' d.*, GROUP_CONCAT(dd.device_id) AS dependency_parent_id, GROUP_CONCAT(dd.hostname) AS dependency_parent_hostname, `location`, `lat`, `lng` ';