DDC-1500 - Fix potential security problem in EntityRepository ORDER BY orientations

2025-01-18 06:21:40 +03:00 · 2011-11-21 15:04:14 +01:00 · 2011-11-21 15:04:14 +01:00 · 135e515e7f
commit 135e515e7f
parent 7ca43b72c9
3 changed files with 24 additions and 1 deletions
--- a/lib/Doctrine/ORM/ORMException.php
+++ b/lib/Doctrine/ORM/ORMException.php
@ -59,6 +59,15 @@ class ORMException extends Exception
        return new self("Unrecognized field: $field");
    }

+    /**
+     * @param string $className
+     * @param string $field
+     */
+    public static function invalidOrientation($className, $field)
+    {
+        return new self("Invalid order by orientation specified for " . $className . "#" . $field);
+    }
+
    public static function invalidFlushMode($mode)
    {
        return new self("'$mode' is an invalid flush mode.");
--- a/lib/Doctrine/ORM/Persisters/BasicEntityPersister.php
+++ b/lib/Doctrine/ORM/Persisters/BasicEntityPersister.php
@ -906,7 +906,6 @@ class BasicEntityPersister
     * @param array $orderBy
     * @param string $baseTableAlias
     * @return string
-     * @todo Rename: _getOrderBySQL
     */
    protected final function _getOrderBySQL(array $orderBy, $baseTableAlias)
    {
@ -917,6 +916,11 @@ class BasicEntityPersister
                throw ORMException::unrecognizedField($fieldName);
            }

+            $orientation = strtoupper(trim($orientation));
+            if ($orientation != 'ASC' && $orientation != 'DESC') {
+                throw ORMException::invalidOrientation($this->_class->name, $fieldName);
+            }
+
            $tableAlias = isset($this->_class->fieldMappings[$fieldName]['inherited']) ?
                    $this->_getSQLTableAlias($this->_class->fieldMappings[$fieldName]['inherited'])
                    : $baseTableAlias;
--- a/tests/Doctrine/Tests/ORM/Functional/EntityRepositoryTest.php
+++ b/tests/Doctrine/Tests/ORM/Functional/EntityRepositoryTest.php
@ -491,5 +491,15 @@ class EntityRepositoryTest extends \Doctrine\Tests\OrmFunctionalTestCase
        $this->_em->getConfiguration()->setDefaultRepositoryClassName("Doctrine\Tests\Models\DDC753\DDC753InvalidRepository");
    }

+    /**
+     * @group DDC-1500
+     */
+    public function testInvalidOrientation()
+    {
+        $this->setExpectedException('Doctrine\ORM\ORMException', 'Invalid order by orientation specified for Doctrine\Tests\Models\CMS\CmsUser#username');
+
+        $repo = $this->_em->getRepository('Doctrine\Tests\Models\CMS\CmsUser');
+        $repo->findBy(array('status' => 'test'), array('username' => 'INVALID'));
+    }
 }