RetailCRM-Mirror/doctrine2
1
0
Fork 0
mirror of synced 2025-01-29 19:41:45 +03:00
Code Issues Projects Releases Wiki Activity

DDC-1500 - Fix potential security problem in EntityRepository ORDER BY orientations

Browse Source
This commit is contained in:
Benjamin Eberlei 2011-11-21 15:04:14 +01:00
parent 7ca43b72c9
commit 135e515e7f
3 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/Doctrine/ORM/ORMException.php
View File

@ -59,6 +59,15 @@ class ORMException extends Exception
return new self("Unrecognized field: $field"); return new self("Unrecognized field: $field");
} }
/**
* @param string $className
* @param string $field
*/
public static function invalidOrientation($className, $field)
{
return new self("Invalid order by orientation specified for " . $className . "#" . $field);
}
public static function invalidFlushMode($mode) public static function invalidFlushMode($mode)
{ {
return new self("'$mode' is an invalid flush mode."); return new self("'$mode' is an invalid flush mode.");

6
lib/Doctrine/ORM/Persisters/BasicEntityPersister.php
View File

@ -906,7 +906,6 @@ class BasicEntityPersister
* @param array $orderBy * @param array $orderBy
* @param string $baseTableAlias * @param string $baseTableAlias
* @return string * @return string
* @todo Rename: _getOrderBySQL
*/ */
protected final function _getOrderBySQL(array $orderBy, $baseTableAlias) protected final function _getOrderBySQL(array $orderBy, $baseTableAlias)
{ {
@ -917,6 +916,11 @@ class BasicEntityPersister
throw ORMException::unrecognizedField($fieldName); throw ORMException::unrecognizedField($fieldName);
} }
$orientation = strtoupper(trim($orientation));
if ($orientation != 'ASC' && $orientation != 'DESC') {
throw ORMException::invalidOrientation($this->_class->name, $fieldName);
}
$tableAlias = isset($this->_class->fieldMappings[$fieldName]['inherited']) ? $tableAlias = isset($this->_class->fieldMappings[$fieldName]['inherited']) ?
$this->_getSQLTableAlias($this->_class->fieldMappings[$fieldName]['inherited']) $this->_getSQLTableAlias($this->_class->fieldMappings[$fieldName]['inherited'])
: $baseTableAlias; : $baseTableAlias;

10
tests/Doctrine/Tests/ORM/Functional/EntityRepositoryTest.php
View File

@ -491,5 +491,15 @@ class EntityRepositoryTest extends \Doctrine\Tests\OrmFunctionalTestCase
$this->_em->getConfiguration()->setDefaultRepositoryClassName("Doctrine\Tests\Models\DDC753\DDC753InvalidRepository"); $this->_em->getConfiguration()->setDefaultRepositoryClassName("Doctrine\Tests\Models\DDC753\DDC753InvalidRepository");
} }
/**
* @group DDC-1500
*/
public function testInvalidOrientation()
{
$this->setExpectedException('Doctrine\ORM\ORMException', 'Invalid order by orientation specified for Doctrine\Tests\Models\CMS\CmsUser#username');
$repo = $this->_em->getRepository('Doctrine\Tests\Models\CMS\CmsUser');
$repo->findBy(array('status' => 'test'), array('username' => 'INVALID'));
}
} }