tobias/friendica
1
0
Fork 0
Code Pull requests Activity

Only allow explicitly known order types through

Browse source
This commit is contained in:
Hank Grabowski 2023-02-28 13:10:45 -05:00
parent f0b3864c7a
commit 13672bccf4
1 changed files with 12 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/Module/BaseApi.php
View file

@ -129,7 +129,18 @@ class BaseApi extends BaseModule
$condition = DBA::mergeConditions($condition, ["`uri-id` > ?", intval($request['min_id'])]); $condition = DBA::mergeConditions($condition, ["`uri-id` > ?", intval($request['min_id'])]);
} }
} else { } else {
switch ($requested_order) {
case TimelineOrderByTypes::RECEIVED:
case TimelineOrderByTypes::CHANGED:
case TimelineOrderByTypes::EDITED:
case TimelineOrderByTypes::CREATED:
case TimelineOrderByTypes::COMMENTED:
$order_field = $requested_order; $order_field = $requested_order;
break;
default:
throw new \Exception("Unrecognized request order: $requested_order");
}
if (!empty($request['max_id'])) { if (!empty($request['max_id'])) {
$condition = DBA::mergeConditions($condition, ["`$order_field` < ?", DateTimeFormat::convert($request['max_id'], DateTimeFormat::MYSQL)]); $condition = DBA::mergeConditions($condition, ["`$order_field` < ?", DateTimeFormat::convert($request['max_id'], DateTimeFormat::MYSQL)]);
} }