From 51097effbd0b67ac4b0d281b453ac396ad1e1551 Mon Sep 17 00:00:00 2001
From: "justdave%bugzilla.org" <justdave%bugzilla.org>
Date: Mon, 9 Jan 2006 02:25:47 +0000
Subject: [PATCH] Bug 322734: sanitize sort order input r=timeless

---
 webtools/despot/despot.cgi | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/webtools/despot/despot.cgi b/webtools/despot/despot.cgi
index 23246fa42719..ab04c70e4ed1 100755
--- a/webtools/despot/despot.cgi
+++ b/webtools/despot/despot.cgi
@@ -527,17 +527,7 @@ sub ListSomething {
         }
     }
         
-
     print h1("List of $tablename");
-    my $sortorder = $defaultsortorder;
-    if (defined $F::sortorder) {
-        # XXX this *absolutely* needs sanitization
-        # sort order is going to be a list of column names
-        # comma separated list of things that match stuff in the select part
-        # may or may not have " asc" or " desc" on the end of it
-        $sortorder = $F::sortorder;
-    }
-
     my $query = $::db->prepare("SHOW COLUMNS FROM $tablename");
     $query->execute();
     my @allcols = ();
@@ -546,6 +536,24 @@ sub ListSomething {
         push(@allcols, $row[0]);
     }
 
+    my $sortorder = $defaultsortorder;
+    if (defined $F::sortorder) {
+        $sortorder = $F::sortorder;
+        my @sortorder = ();
+        my @passedsortorder = split(",",$sortorder);
+        foreach my $column (@passedsortorder) {
+            my $dir = "";
+            if ($column =~ m/(\S+)( ASC| DESC)$/i) {
+                ($column, $dir) = ($1, $2);
+            }
+            if (!grep {$column eq $_} @allcols) {
+                die "Invalid sort order passed";
+            }
+            push @sortorder, $column.$dir;
+        }
+        $sortorder = join(",",@sortorder);
+    }
+
     my $hiddencols = "";
     if (defined @F::showcolumns) {
         @cols = @F::showcolumns;