summaryrefslogtreecommitdiff
path: root/rt/lib/RT/SearchBuilder.pm
diff options
context:
space:
mode:
Diffstat (limited to 'rt/lib/RT/SearchBuilder.pm')
-rw-r--r--rt/lib/RT/SearchBuilder.pm57
1 files changed, 8 insertions, 49 deletions
diff --git a/rt/lib/RT/SearchBuilder.pm b/rt/lib/RT/SearchBuilder.pm
index e4a17f464..da542ea4e 100644
--- a/rt/lib/RT/SearchBuilder.pm
+++ b/rt/lib/RT/SearchBuilder.pm
@@ -65,7 +65,7 @@
package RT::SearchBuilder;
use RT::Base;
-use DBIx::SearchBuilder "1.40";
+use DBIx::SearchBuilder "1.50";
use strict;
use warnings;
@@ -85,17 +85,6 @@ sub _Init {
$self->SUPER::_Init( 'Handle' => $RT::Handle);
}
-sub OrderByCols {
- my $self = shift;
- my @sort;
- for my $s (@_) {
- next if defined $s->{FIELD} and $s->{FIELD} =~ /\W/;
- $s->{FIELD} = $s->{FUNCTION} if $s->{FUNCTION};
- push @sort, $s;
- }
- return $self->SUPER::OrderByCols( @sort );
-}
-
=head2 LimitToEnabled
Only find items that haven't been disabled
@@ -285,47 +274,14 @@ This Limit sub calls SUPER::Limit, but defaults "CASESENSITIVE" to 1, thus
making sure that by default lots of things don't do extra work trying to
match lower(colname) agaist lc($val);
-We also force VALUE to C<NULL> when the OPERATOR is C<IS> or C<IS NOT>.
-This ensures that we don't pass invalid SQL to the database or allow SQL
-injection attacks when we pass through user specified values.
-
=cut
sub Limit {
my $self = shift;
- my %ARGS = (
- CASESENSITIVE => 1,
- OPERATOR => '=',
- @_,
- );
-
- # We use the same regex here that DBIx::SearchBuilder uses to exclude
- # values from quoting
- if ( $ARGS{'OPERATOR'} =~ /IS/i ) {
- # Don't pass anything but NULL for IS and IS NOT
- $ARGS{'VALUE'} = 'NULL';
- }
+ my %args = ( CASESENSITIVE => 1,
+ @_ );
- if ($ARGS{FUNCTION}) {
- ($ARGS{ALIAS}, $ARGS{FIELD}) = split /\./, delete $ARGS{FUNCTION}, 2;
- $self->SUPER::Limit(%ARGS);
- } elsif ($ARGS{FIELD} =~ /\W/
- or $ARGS{OPERATOR} !~ /^(=|<|>|!=|<>|<=|>=
- |(NOT\s*)?LIKE
- |(NOT\s*)?(STARTS|ENDS)WITH
- |(NOT\s*)?MATCHES
- |IS(\s*NOT)?
- |IN)$/ix) {
- $RT::Logger->crit("Possible SQL injection attack: $ARGS{FIELD} $ARGS{OPERATOR}");
- $self->SUPER::Limit(
- %ARGS,
- FIELD => 'id',
- OPERATOR => '<',
- VALUE => '0',
- );
- } else {
- $self->SUPER::Limit(%ARGS);
- }
+ return $self->SUPER::Limit(%args);
}
=head2 ItemsOrderBy
@@ -389,6 +345,9 @@ sub _DoCount {
return $self->SUPER::_DoCount(@_);
}
-RT::Base->_ImportOverlays();
+eval "require RT::SearchBuilder_Vendor";
+die $@ if ($@ && $@ !~ qr{^Can't locate RT/SearchBuilder_Vendor.pm});
+eval "require RT::SearchBuilder_Local";
+die $@ if ($@ && $@ !~ qr{^Can't locate RT/SearchBuilder_Local.pm});
1;
generated by cgit v1.2.1 (git 2.18.0) at 2025-08-10 08:07:43 +0000