From d29201fce134347f891102699fbde7070debee33 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Tue, 16 Apr 2024 19:32:35 -0500
Subject: [PATCH] Fix SQL injection issues in packages search (#15950)

https://github.com/librenms/librenms/security/advisories/GHSA-cwx6-cx7x-4q34
---
 includes/html/pages/search/packages.inc.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/includes/html/pages/search/packages.inc.php b/includes/html/pages/search/packages.inc.php
index 3b03f58634..024bfacb3d 100644
--- a/includes/html/pages/search/packages.inc.php
+++ b/includes/html/pages/search/packages.inc.php
@@ -43,7 +43,7 @@ print_optionbar_start(28);
 print_optionbar_end();
 
 if (isset($_POST['results_amount']) && $_POST['results_amount'] > 0) {
-    $results = $_POST['results'];
+    $results = (int) $_POST['results_amount'];
 } else {
     $results = 50;
 }
@@ -70,7 +70,6 @@ if (isset($_POST['results_amount']) && $_POST['results_amount'] > 0) {
 <?php
 
 $count_query = 'SELECT COUNT(*) FROM ( ';
-$full_query = '';
 $query = 'SELECT packages.name FROM packages,devices ';
 $param = [];
 
@@ -80,7 +79,8 @@ if (! Auth::user()->hasGlobalRead()) {
     $param = array_merge($param, $device_ids);
 }
 
-$query .= " WHERE packages.device_id = devices.device_id AND packages.name LIKE '%" . $_POST['package'] . "%' $sql_where GROUP BY packages.name";
+$query .= " WHERE packages.device_id = devices.device_id AND packages.name LIKE ? $sql_where GROUP BY packages.name";
+$param[] = '%' . $_POST['package'] . '%';
 
 $where = '';
 $ver = '';
@@ -107,7 +107,7 @@ if (! isset($_POST['page_number']) && $_POST['page_number'] < 1) {
 }
 
 $start = ($page_number - 1) * $results;
-$full_query = $full_query . $query . " LIMIT $start,$results";
+$full_query = $query . " LIMIT $start,$results";
 
 ?>
         <tr>