From 83deec2e3621c40d15a06e2491f27571d32fe10f Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Wed, 30 Jan 2019 22:05:43 -0800
Subject: Avoid XSS in pagination ordering

---
 app/Core/Paginator.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/app/Core/Paginator.php b/app/Core/Paginator.php
index 9776a03d..d805567e 100644
--- a/app/Core/Paginator.php
+++ b/app/Core/Paginator.php
@@ -169,10 +169,16 @@ class Paginator
     public function executeQuery()
     {
         if ($this->query !== null) {
+
             $this->query
                 ->offset($this->offset)
-                ->limit($this->limit)
-                ->orderBy($this->order, $this->direction);
+                ->limit($this->limit);
+
+            if (preg_match('/^[a-zA-Z0-9._]+$/', $this->order)) {
+                $this->query->orderBy($this->order, $this->direction);
+            } else {
+                $this->order = '';
+            }
 
             if ($this->formatter !== null) {
                 return $this->formatter->withQuery($this->query)->format();
-- 
cgit v1.2.3