From 581108bb3a6a44487aa355ad564f193027353dc3 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Wed, 28 Aug 2019 15:31:29 +0530
Subject: [PATCH] Parametes sanitized on Settings Page
---
modules/Settings/Vtiger/models/Module.php | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/modules/Settings/Vtiger/models/Module.php b/modules/Settings/Vtiger/models/Module.php
index f6a276f33..1c65dae1f 100644
--- a/modules/Settings/Vtiger/models/Module.php
+++ b/modules/Settings/Vtiger/models/Module.php
@@ -150,19 +150,26 @@ class Settings_Vtiger_Module_Model extends Vtiger_Base_Model {
$moduleName = $request->getModule();
$qualifiedModuleName = $request->getModule(false);
- $whereCondition .= "linkto LIKE '%$moduleName%' AND (linkto LIKE '%parent=Settings%' OR linkto LIKE '%parenttab=Settings%')";
+ $arrayParams = array();
+ $whereCondition .= "linkto LIKE ? ";
+ $arrayParams[] = "%$moduleName%";
+ if ($moduleName != 'LanguageEditor') {
+ $whereCondition .= "AND (linkto LIKE '%parent=Settings%' OR linkto LIKE '%parenttab=Settings%')";
+ }
$db = PearDatabase::getInstance();
$query = "SELECT vtiger_settings_blocks.label AS blockname, vtiger_settings_field.name AS menu FROM vtiger_settings_blocks
INNER JOIN vtiger_settings_field ON vtiger_settings_field.blockid=vtiger_settings_blocks.blockid
WHERE $whereCondition";
- $result = $db->pquery($query, array());
+ $result = $db->pquery($query, $arrayParams);
$numOfRows = $db->num_rows($result);
if ($numOfRows == 1) {
$finalResult = array( 'block' => $db->query_result($result, 0, 'blockname'),
'menu' => $db->query_result($result, 0, 'menu'));
} elseif ($numOfRows > 1) {
- $result = $db->pquery("$query AND linkto LIKE '%view=$view%'", array());
+ $query = "$query AND linkto LIKE ? ";
+ $arrayParams[] = "%view=$view%";
+ $result = $db->pquery($query, $arrayParams);
$numOfRows = $db->num_rows($result);
if ($numOfRows == 1) {
$finalResult = array( 'block' => $db->query_result($result, 0, 'blockname'),
--
GitLab