fixed sql injection, readjust tabs (#14941)

pimcore · Apr 19, 2023 · 21e35af · 21e35af
1 parent 5c4991b
commit 21e35af
Showing 1 changed file with 17 additions and 10 deletions.
diff --git a/bundles/AdminBundle/Controller/Admin/Asset/AssetController.php b/bundles/AdminBundle/Controller/Admin/Asset/AssetController.php
@@ -2109,10 +2109,10 @@ public function downloadAsZipJobsAction(Request $request)
                 $userIds = $this->getAdminUser()->getRoles();
                 $userIds[] = $this->getAdminUser()->getId();
                 $conditionFilters[] = ' (
-                                                    (select list from users_workspaces_asset where userId in (' . implode(',', $userIds) . ') and LOCATE(CONCAT(path, filename),cpath)=1  ORDER BY LENGTH(cpath) DESC LIMIT 1)=1
-                                                    OR
-                                                    (select list from users_workspaces_asset where userId in (' . implode(',', $userIds) . ') and LOCATE(cpath,CONCAT(path, filename))=1  ORDER BY LENGTH(cpath) DESC LIMIT 1)=1
-                                                 )';
+                    (select list from users_workspaces_asset where userId in (' . implode(',', $userIds) . ') and LOCATE(CONCAT(path, filename),cpath)=1  ORDER BY LENGTH(cpath) DESC LIMIT 1)=1
+                    OR
+                    (select list from users_workspaces_asset where userId in (' . implode(',', $userIds) . ') and LOCATE(cpath,CONCAT(path, filename))=1  ORDER BY LENGTH(cpath) DESC LIMIT 1)=1
+                )';
             }
 
             $condition = implode(' AND ', $conditionFilters);
@@ -2177,23 +2177,30 @@ public function downloadAsZipAddFilesAction(Request $request)
 
                 $db = \Pimcore\Db::get();
                 $conditionFilters = [];
-
                 $selectedIds = $request->get('selectedIds', []);
 
                 if (!empty($selectedIds)) {
                     $selectedIds = explode(',', $selectedIds);
+
+                    $quotedSelectedIds = [];
+                    foreach ($selectedIds as $selectedId) {
+                        if ($selectedId) {
+                            $quotedSelectedIds[] = $db->quote($selectedId);
+                        }
+                    }
+
                     //add a condition if id numbers are specified
-                    $conditionFilters[] = 'id IN (' . implode(',', $selectedIds) . ')';
+                    $conditionFilters[] = 'id IN (' . implode(',', $quotedSelectedIds) . ')';
                 }
                 $conditionFilters[] = "type != 'folder' AND path LIKE " . $db->quote(Helper::escapeLike($parentPath) . '/%');
                 if (!$this->getAdminUser()->isAdmin()) {
                     $userIds = $this->getAdminUser()->getRoles();
                     $userIds[] = $this->getAdminUser()->getId();
                     $conditionFilters[] = ' (
-                                                    (select list from users_workspaces_asset where userId in (' . implode(',', $userIds) . ') and LOCATE(CONCAT(path, filename),cpath)=1  ORDER BY LENGTH(cpath) DESC LIMIT 1)=1
-                                                    OR
-                                                    (select list from users_workspaces_asset where userId in (' . implode(',', $userIds) . ') and LOCATE(cpath,CONCAT(path, filename))=1  ORDER BY LENGTH(cpath) DESC LIMIT 1)=1
-                                                 )';
+                        (select list from users_workspaces_asset where userId in (' . implode(',', $userIds) . ') and LOCATE(CONCAT(path, filename),cpath)=1  ORDER BY LENGTH(cpath) DESC LIMIT 1)=1
+                        OR
+                        (select list from users_workspaces_asset where userId in (' . implode(',', $userIds) . ') and LOCATE(cpath,CONCAT(path, filename))=1  ORDER BY LENGTH(cpath) DESC LIMIT 1)=1
+                    )';
                 }
 
                 $condition = implode(' AND ', $conditionFilters);