Headline
CVE-2023-4928: Fix SQL Injection in datagrid advanced filter · instantsoft/icms2@3a6b148
SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1.
Expand Up @@ -2,51 +2,50 @@
class actionModerationLogs extends cmsAction {
public function run($target_controller = null, $target_subject = null, $target_id = null, $moderator_id = null){ public function run($target_controller = null, $target_subject = null, $target_id = null, $moderator_id = null) {
cmsCore::loadAllControllersLanguages();
$grid = $this->loadDataGrid(‘logs’);
$url = href_to($this->root_url, ‘logs’); $sub_url = array(); $url_query = array(); $additional_h1 = array(); $url = href_to($this->root_url, ‘logs’); $sub_url = []; $url_query = []; $additional_h1 = []; $subj_controller = null;
$action = $this->request->get('action’, -1); $action = $this->request->get('action’, -1); $only_to_delete = $this->request->get('only_to_delete’, 0); if($action > -1){
if ($action > -1) {
$this->model->filterEqual('action’, $action);
if($only_to_delete){ if ($only_to_delete) {
$this->model->filterNotNull(‘date_expired’);
$url_query[‘only_to_delete’] = $only_to_delete;
}
$additional_h1[] = string_lang('LANG_MODERATION_ACTION_’.$action); $additional_h1[] = string_lang(‘LANG_MODERATION_ACTION_’ . $action);
$url_query[‘action’] = $action;
}
if(!empty($target_controller)){ if (!empty($target_controller)) {
$subj_controller = cmsCore::getController($target_controller);
$this->model->filterEqual('target_controller’, $target_controller);
$sub_url[] = $target_controller;
if(!empty($target_subject)){ if (!empty($target_subject)) {
$ctype = $subj_controller->getContentTypeForModeration($target_subject);
if($ctype){ if ($ctype) { $target_subject = $ctype[‘name’]; } else { return cmsCore::error404(); Expand All @@ -56,45 +55,42 @@ public function run($target_controller = null, $target_subject = null, $target_i
$sub_url[] = $target_subject;
if($ctype){ if ($ctype) { $additional_h1[] = $ctype[‘title’]; }
if(!empty($target_id)){ if (!empty($target_id)) {
$this->model->filterEqual('target_id’, $target_id);
$sub_url[] = $target_id;
$this->model->lockFilters();
$item = $this->model->getItem('moderators_logs’, function ($item, $model){ $item[‘data’] = cmsModel::yamlToArray($item[‘data’]); return $item; }); $item = $this->model->getItem('moderators_logs’, function ($item, $model) { $item[‘data’] = cmsModel::yamlToArray($item[‘data’]); return $item; });
if($item){ $additional_h1[] = $item[‘data’][‘title’]; } if ($item) { $additional_h1[] = $item[‘data’][‘title’]; }
$this->model->unlockFilters();
}
}
}
if(!empty($moderator_id)){ if (!empty($moderator_id)) {
$this->model->filterEqual('moderator_id’, $moderator_id);
if(count($sub_url) == 3){ if (count($sub_url) == 3) { $sub_url[] = $moderator_id; } elseif(count($sub_url) == 2){ } elseif (count($sub_url) == 2) { $sub_url[] = 0; $sub_url[] = $moderator_id; } elseif(count($sub_url) == 1){ } elseif (count($sub_url) == 1) { $sub_url[] = 0; $sub_url[] = 0; $sub_url[] = $moderator_id; Expand All @@ -107,67 +103,57 @@ public function run($target_controller = null, $target_subject = null, $target_i
$user = cmsCore::getModel(‘users’)->getuser($moderator_id);
if($user){ if ($user) { $additional_h1[] = $user[‘nickname’]; }
}
if ($this->request->isAjax()) {
$filter = array(); $filter = []; $filter_str = $this->request->get('filter’, ‘’);
if ($filter_str){ if ($filter_str) { parse_str($filter_str, $filter); $this->model->applyGridFilter($grid, $filter); $grid->applyGridFilter($this->model, $filter, ‘moderators_logs’); }
$total = $this->model->getCount(‘moderators_logs’); $perpage = isset($filter[‘perpage’]) ? $filter[‘perpage’] : admin::perpage; $pages = ceil($total / $perpage);
$this->model->joinUserLeft(‘moderator_id’);
$data = $this->model->get('moderators_logs’, function ($item, $model) use($subj_controller){ $data = $this->model->get(‘moderators_logs’, function ($item, $model) use ($subj_controller) {
$item[‘data’] = cmsModel::yamlToArray($item[‘data’]);
$item[‘controller_title’] = string_lang($item[‘target_controller’].’_CONTROLLER’); $item[‘controller_title’] = string_lang($item[‘target_controller’] . ‘_CONTROLLER’);
$item[‘subject_title’] = $item[‘controller_title’];
if($subj_controller !== null){ if ($subj_controller !== null) {
$ctype = $subj_controller->getContentTypeForModeration($item[‘target_subject’]);
$item[‘subject_title’] = $ctype[‘title’];
}
return $item; }) ?: [];
});
$this->cms_template->renderGridRowsJSON($grid, $data, $total, $pages);
$this->halt();
return $this->cms_template->renderJSON($grid->makeGridRows($data, $total)); }
if($additional_h1){ if ($additional_h1) { $this->cms_template->setPageH1($additional_h1); }
$this->model->resetFilters();
return $this->cms_template->render('backend/logs’, array( return $this->cms_template->render('backend/logs’, [ ‘grid’ => $grid, ‘sub_url’ => $sub_url, ‘url_query’ => $url_query, ‘url’ => $url.($sub_url ? '/’.implode('/’, $sub_url) : ‘’).(($action > -1) ? '?’.http_build_query($url_query) : ‘’) ));
‘url’ => $url . ($sub_url ? ‘/’ . implode('/’, $sub_url) : ‘’) . (($action > -1) ? ‘?’ . http_build_query($url_query) : ‘’) ]); }
}