Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72096

New helper function for cleaning SQL ORDER BY clauses

    XMLWordPrintable

Details

    Description

      It seems that there are various places where we are allowing to pass SQL (ORDER BY) fragments straight from input to database. See MDL-71241 or MDL-71242.

      While a particular solution was applied to fix those issues in the interim... it was agreed that that's not the best way to fix them, because:

      1) They are particular to each individual case.
      2) They are applied well deep within the APIs, the cleaning/validation must happen earlier, in the entry/external layers.
      3) We don't have a central way to clean/validate SQL (ORDER BY) fragments.

      For a more elaborated analysis, read this and following comments.

      So this issue is about to decide which solutions (param, function or both) we can provide. And, once decided:

      1) Implement them, crazily covered.
      2) Maybe partially undo MDL-71241 or MDL-71242 and replace them by the solution(s) implemented here.
      3) Look for more similar cases, specifically within the external functions and fix them.
      4) Of course, document the new param and/or function.

      Ciao

      PS: I've added the security level to this issue, to avoid any disclosure of information, but I think that the solutions implemented are more a security benefit, hence I also have added the label. Surely once we know about 3), if there are more cases to fix... we'll can decide which of the 2 (level or label) wins.

      Attachments

        1. coverage.png
          coverage.png
          17 kB
        2. MDL-72096-310.mdk.patch
          12 kB
        3. MDL-72096-311.mdk.patch
          12 kB
        4. MDL-72096-39.mdk.patch
          12 kB
        5. MDL-72096-master.mdk.patch
          12 kB

        Issue Links

          Activity

            People

              michaelh Michael Hawkins
              stronk7 Eloy Lafuente (stronk7)
              Paul Holden Paul Holden
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              CiBoT CiBoT
              Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Sujith Haridasan
              Votes:
              6 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                17/Jan/22

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 18 minutes
                  2d 18m