Add security fixes from 1.11.x

4 years ago · 806785dfb6
parent b19d9ed254
commit 806785dfb6
14 changed files with 48 additions and 36 deletions
--- a/public/main/inc/lib/groupmanager.lib.php
+++ b/public/main/inc/lib/groupmanager.lib.php
@ -1170,9 +1170,9 @@ class GroupManager
                    g.iid = $group_id";

        if (!empty($column) && !empty($direction)) {
-            $column = Database::escape_string($column, null, false);
-            $direction = ('ASC' == $direction ? 'ASC' : 'DESC');
-            $sql .= " ORDER BY $column $direction";
+            $column = Database::escape_string($column);
+            $direction = ('ASC' === $direction ? 'ASC' : 'DESC');
+            $sql .= " ORDER BY `$column` $direction";
        }

        if (!empty($start) && !empty($limit)) {
--- a/public/main/inc/lib/myspace.lib.php
+++ b/public/main/inc/lib/myspace.lib.php
@ -556,7 +556,7 @@ class MySpace
            }
        }
        if (!empty($order[$tracking_column])) {
-            $sqlCoachs .= ' ORDER BY '.$order[$tracking_column].' '.$tracking_direction;
+            $sqlCoachs .= " ORDER BY `".$order[$tracking_column]."` ".$tracking_direction;
        }

        $result_coaches = Database::query($sqlCoachs);
@ -1499,6 +1499,12 @@ class MySpace
        $column,
        $direction
    ) {
+        switch ($column) {
+            default:
+            case 1:
+                $column = 'title';
+                break;
+        }
        $courses = CourseManager::get_courses_list(
            $from,
            $numberItems,
@ -1570,8 +1576,10 @@ class MySpace
                null,
                true
            );
-            $progress += $progress_tmp[0];
-            $nb_progress_lp += $progress_tmp[1];
+            if ($progress_tmp) {
+                $progress += $progress_tmp[0];
+                $nb_progress_lp += $progress_tmp[1];
+            }
            $score_tmp = Tracking::get_avg_student_score(
                $userId,
                $course,
@ -2505,9 +2513,9 @@ class MySpace
            $direction = 'ASC';
        }

-        $column = intval($column);
-        $from = intval($from);
-        $number_of_items = intval($number_of_items);
+        $column = (int) $column;
+        $from = (int) $from;
+        $number_of_items = (int) $number_of_items;
        $sql .= " ORDER BY col$column $direction ";
        $sql .= " LIMIT $from,$number_of_items";

@ -2637,7 +2645,7 @@ class MySpace
        }

        $order = [
-            "$column $direction",
+            " `$column` $direction",
        ];
        $userList = UserManager::get_user_list([], $order, $from, $numberItems);
        $return = [];
@ -3324,6 +3332,7 @@ class MySpace
        $numberItems = (int) $numberItems;
        $column = (int) $column;
        $orderDirection = Database::escape_string($orderDirection);
+        $orderDirection = !in_array(strtolower(trim($orderDirection)), ['asc', 'desc']) ? 'asc' : $orderDirection;

        $user = Database::get_main_table(TABLE_MAIN_USER);
        $course = Database::get_main_table(TABLE_MAIN_COURSE);
--- a/public/main/inc/lib/notebook.lib.php
+++ b/public/main/inc/lib/notebook.lib.php
@ -216,7 +216,7 @@ class NotebookManager

        // Database table definition
        $table = Database::get_course_table(TABLE_NOTEBOOK);
-        $order_by = ' ORDER BY '.$notebookView." $sort_direction ";
+        $order_by = " ORDER BY `$notebookView` $sort_direction ";

        // Condition for the session
        $condition_session = api_get_session_condition($sessionId);
--- a/public/main/inc/lib/online.inc.php
+++ b/public/main/inc/lib/online.inc.php
@ -10,9 +10,6 @@ use ChamiloSession as Session;
 * @author Denes Nagy, principal author
 * @author Bart Mollet
 * @author Roan Embrechts, cleaning and bugfixing
- */
-
-/**
 * Insert a login reference for the current user into the track_e_online stats
 * table. This table keeps trace of the last login. Nothing else matters (we
 * don't keep traces of anything older).
@ -287,12 +284,11 @@ function who_is_online(
        }
    }

-    $direction = strtolower($direction);

    if (empty($direction)) {
        $direction = 'DESC';
    } else {
-        if (!in_array($direction, ['asc', 'desc'])) {
+        if (!in_array(strtolower($direction), ['asc', 'desc'])) {
            $direction = 'DESC';
        }
    }
@ -313,14 +309,14 @@ function who_is_online(
                    friend_user_id <> '".api_get_user_id()."' AND
                    relation_type='".USER_RELATION_TYPE_FRIEND."' AND
                    user_id = '".api_get_user_id()."'
-                  ORDER BY $column $direction
+                  ORDER BY `$column` $direction
                  LIMIT $from, $number_of_items";
    } else {
        $query = "SELECT DISTINCT login_user_id, login_date
                    FROM ".$track_online_table." e
                    INNER JOIN ".$table_user." u ON (u.id = e.login_user_id)
                  WHERE u.status != ".ANONYMOUS." AND login_date >= '".$current_date."'
-                  ORDER BY $column $direction
+                  ORDER BY `$column` $direction
                  LIMIT $from, $number_of_items";
    }

@ -336,7 +332,7 @@ function who_is_online(
                                    login_date >= '".$current_date."' AND
                                    friend_user_id <> '".api_get_user_id()."' AND
                                    relation_type='".USER_RELATION_TYPE_FRIEND."'
-                            ORDER BY $column $direction
+                            ORDER BY `$column` $direction
                            LIMIT $from, $number_of_items";
            } else {
                // all users online
@ -346,7 +342,7 @@ function who_is_online(
                          ON (u.id=track.login_user_id)
                          WHERE u.status != ".ANONYMOUS." AND track.access_url_id =  $access_url_id AND
                                login_date >= '".$current_date."'
-                          ORDER BY $column $direction
+                          ORDER BY `$column` $direction
                          LIMIT $from, $number_of_items";
            }
        }
--- a/public/main/inc/lib/sessionmanager.lib.php
+++ b/public/main/inc/lib/sessionmanager.lib.php
@ -822,7 +822,7 @@ class SessionManager
        $options
    ) {
        //escaping vars
-        $sessionId = 'T' == $sessionId ? 'T' : intval($sessionId);
+        $sessionId = $sessionId === 'T' ? 'T' : intval($sessionId);
        $courseId = intval($courseId);

        //tables
@ -832,7 +832,7 @@ class SessionManager

        $course = api_get_course_info_by_id($courseId);
        $sessionCond = 'and session_id = %s';
-        if ('T' == $sessionId) {
+        if ($sessionId === 'T') {
            $sessionCond = '';
        }

@ -849,7 +849,7 @@ class SessionManager

        $order = null;
        if (!empty($options['order'])) {
-            $order = " ORDER BY ".$options['order'];
+            $order = " ORDER BY ".$options['order']." ";
        }

        $sql = "SELECT u.id as user_id, u.lastname, u.firstname, u.username, u.email, s.c_id
@ -878,7 +878,7 @@ class SessionManager
            ];

            $sessionCond = 'AND v.session_id = %d';
-            if ('T' == $sessionId) {
+            if ($sessionId == 'T') {
                $sessionCond = "";
            }

@ -6235,7 +6235,7 @@ class SessionManager

        if (!empty($column) && !empty($direction)) {
            $column = str_replace('u.', '', $column);
-            $sql .= " ORDER BY $column $direction ";
+            $sql .= " ORDER BY `$column` $direction ";
        }

        $limitCondition = '';
--- a/public/main/inc/lib/statistics.lib.php
+++ b/public/main/inc/lib/statistics.lib.php
@ -991,7 +991,7 @@ class Statistics
                   HAVING t.c_id <> ''
                   AND DATEDIFF( '".api_get_utc_datetime()."' , access_date ) <= ".$date_diff;
        }
-        $sql .= ' ORDER BY '.$columns[$column].' '.$sql_order[$direction];
+        $sql .= ' ORDER BY `'.$columns[$column].'` '.$sql_order[$direction];
        $from = ($page_nr - 1) * $per_page;
        $sql .= ' LIMIT '.$from.','.$per_page;

--- a/public/main/inc/lib/tracking.lib.php
+++ b/public/main/inc/lib/tracking.lib.php
@ -3828,7 +3828,7 @@ class Tracking
            if (in_array($orderByName, ['name', 'access_start_date'])) {
                $orderByDirection = in_array(strtolower($orderByDirection), ['asc', 'desc']) ? $orderByDirection : 'asc';
                $orderByName = Database::escape_string($orderByName);
-                $orderBy .= " ORDER BY $orderByName $orderByDirection";
+                $orderBy .= " ORDER BY `$orderByName` $orderByDirection";
            }
        }

@ -7729,7 +7729,8 @@ class TrackingCourseLog
        $table_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY);
        $table_user = Database::get_main_table(TABLE_MAIN_USER);
        $table_session = Database::get_main_table(TABLE_MAIN_SESSION);
-        $session_id = intval($session_id);
+        $column = (int) $column;
+        $direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;

        $sql = "SELECT
                    tool as col0,
--- a/public/main/inc/lib/usermanager.lib.php
+++ b/public/main/inc/lib/usermanager.lib.php
@ -2163,8 +2163,8 @@ class UserManager
            $field_filter = (int) $field_filter;
            $sqlf .= " AND filter = $field_filter ";
        }
-        $sqlf .= " ORDER BY ".$columns[$column]." $sort_direction ";
-        if (0 != $number_of_items) {
+        $sqlf .= " ORDER BY `".$columns[$column]."` $sort_direction ";
+        if ($number_of_items != 0) {
            $sqlf .= " LIMIT ".intval($from).','.intval($number_of_items);
        }
        $resf = Database::query($sqlf);
@ -4650,7 +4650,7 @@ class UserManager
            if (!empty($column) && !empty($direction)) {
                // Fixing order due the UNIONs
                $column = str_replace('u.', '', $column);
-                $orderBy = " ORDER BY $column $direction ";
+                $orderBy = " ORDER BY `$column` $direction ";
            }
        }

--- a/public/main/session/session_category_list.php
+++ b/public/main/session/session_category_list.php
@ -84,7 +84,7 @@ if (isset($_GET['search']) && 'advanced' === $_GET['search']) {
                ) as nbr_session
 	 			FROM $tbl_session_category sc
 	 			$where
-	 			ORDER BY $sort $order
+	 			ORDER BY `$sort` $order
 	 			LIMIT $from,".($limit + 1);

    $query_rows = "SELECT count(*) as total_rows
--- a/public/main/session/session_course_list.php
+++ b/public/main/session/session_course_list.php
@ -58,7 +58,7 @@ $from = $page * $limit;
 $sql = "SELECT c.id, c.code, c.title, nbr_users
 		FROM $tbl_session_rel_course, $tbl_course c
 		WHERE c_id = c.id AND session_id='$id_session'
-		ORDER BY $sort
+		ORDER BY `$sort`
 		LIMIT $from,".($limit + 1);
 $result = Database::query($sql);
 $Courses = Database::store_result($result);
--- a/public/main/session/session_course_user_list.php
+++ b/public/main/session/session_course_user_list.php
@ -102,7 +102,7 @@ $sql = "
    WHERE
        s.session_id = $id_session AND
        url.access_url_id = $urlId
-    ORDER BY $sort $direction
+    ORDER BY `$sort` $direction
    LIMIT $from,".($limit + 1);

 if ('desc' === $direction) {
--- a/public/main/user/subscribe_user.php
+++ b/public/main/user/subscribe_user.php
@ -659,6 +659,8 @@ function get_user_data($from, $number_of_items, $column, $direction)
    }

    $sql .= " AND u.status != ".ANONYMOUS." ";
+    $column = (int) $column;
+    $direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
    // Sorting and pagination (used by the sortable table)
    $sql .= " ORDER BY col$column $direction ";
    $from = (int) $from;
--- a/public/main/webservices/cm_webservice_inbox.php
+++ b/public/main/webservices/cm_webservice_inbox.php
@ -106,13 +106,17 @@ class WSCMInbox extends WSCM
        $from,
        $number_of_items
    ) {
+        $from = (int) $from;
+        $number_of_items = (int) $number_of_items;
+
        if ("valid" == $this->verifyUserPass($username, $password)) {
            $user_id = UserManager::get_user_id_from_username($username);

            $table_message = Database::get_main_table(TABLE_MESSAGE);
            $sql_query = "SELECT id FROM $table_message 
                          WHERE user_sender_id=".$user_id." AND msg_status=".MESSAGE_STATUS_OUTBOX." 					 
-                          ORDER BY send_date LIMIT $from,$number_of_items";
+                          ORDER BY send_date
+                          LIMIT $from,$number_of_items";

            $sql_result = Database::query($sql_query);
            $message = "#";
--- a/public/main/webservices/cm_webservice_user.php
+++ b/public/main/webservices/cm_webservice_user.php
@ -195,7 +195,7 @@ class WSCMUser extends WSCM
        }
        $order = '';
        foreach ($order_by as $orderByItem) {
-            $order .= Database::escape_string($orderByItem, null, false).', ';
+            $order .= Database::escape_string($orderByItem).', ';
        }
        $order = substr($order, 0, -2);
        if (count($order_by) > 0) {