Project-Pro/redline.com.pl
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FIX: appagebuilder SQL Injections

Browse Source
This commit is contained in:
Roman Pyrih
2026-02-19 11:51:28 +01:00
parent 26dd9c7656
commit cb209fbd1e
2 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/appagebuilder/apajax.php
View File

@@ -98,7 +98,7 @@ if (Tools::getValue('leoajax') == 1) {
$sql = 'SELECT COUNT(cp.`id_product`) AS total, cp.`id_category` FROM `'._DB_PREFIX_.'product` p '.Shop::addSqlAssociation('product', 'p').' $sql = 'SELECT COUNT(cp.`id_product`) AS total, cp.`id_category` FROM `'._DB_PREFIX_.'product` p '.Shop::addSqlAssociation('product', 'p').'
LEFT JOIN `'._DB_PREFIX_.'category_product` cp ON p.`id_product` = cp.`id_product` LEFT JOIN `'._DB_PREFIX_.'category_product` cp ON p.`id_product` = cp.`id_product`
WHERE cp.`id_category` IN ('.pSQL($list_cat).') WHERE cp.`id_category` IN ('.implode(', ', array_map('intval', explode(',', $list_cat))).')
AND product_shop.`visibility` IN ("both", "catalog") AND product_shop.`visibility` IN ("both", "catalog")
AND product_shop.`active` = 1 AND product_shop.`active` = 1
GROUP BY cp.`id_category`'; GROUP BY cp.`id_category`';
@@ -111,6 +111,7 @@ if (Tools::getValue('leoajax') == 1) {
if ($leo_pro_cdown) { if ($leo_pro_cdown) {
$leo_pro_cdown = explode(',', $leo_pro_cdown); $leo_pro_cdown = explode(',', $leo_pro_cdown);
$leo_pro_cdown = array_unique($leo_pro_cdown); $leo_pro_cdown = array_unique($leo_pro_cdown);
$leo_pro_cdown = array_map('intval', $leo_pro_cdown); // fix sql injection
$leo_pro_cdown = implode(',', $leo_pro_cdown); $leo_pro_cdown = implode(',', $leo_pro_cdown);
$result['pro_cdown'] = $module->hookProductCdown($leo_pro_cdown); $result['pro_cdown'] = $module->hookProductCdown($leo_pro_cdown);
} }
@@ -118,6 +119,7 @@ if (Tools::getValue('leoajax') == 1) {
if ($leo_pro_color) { if ($leo_pro_color) {
$leo_pro_color = explode(',', $leo_pro_color); $leo_pro_color = explode(',', $leo_pro_color);
$leo_pro_color = array_unique($leo_pro_color); $leo_pro_color = array_unique($leo_pro_color);
$leo_pro_color = array_map('intval', $leo_pro_color); // fix sql injection
$leo_pro_color = implode(',', $leo_pro_color); $leo_pro_color = implode(',', $leo_pro_color);
$result['pro_color'] = $module->hookProductColor($leo_pro_color); $result['pro_color'] = $module->hookProductColor($leo_pro_color);
} }
@@ -125,6 +127,7 @@ if (Tools::getValue('leoajax') == 1) {
if ($product_list_image) { if ($product_list_image) {
$product_list_image = explode(',', $product_list_image); $product_list_image = explode(',', $product_list_image);
$product_list_image = array_unique($product_list_image); $product_list_image = array_unique($product_list_image);
$product_list_image = array_map('intval', $product_list_image); // fix sql injection
$product_list_image = implode(',', $product_list_image); $product_list_image = implode(',', $product_list_image);
# $leocustomajax = new Leocustomajax(); # $leocustomajax = new Leocustomajax();
@@ -135,6 +138,7 @@ if (Tools::getValue('leoajax') == 1) {
if ($product_one_img) { if ($product_one_img) {
$product_one_img = explode(',', $product_one_img); $product_one_img = explode(',', $product_one_img);
$product_one_img = array_unique($product_one_img); $product_one_img = array_unique($product_one_img);
$product_one_img = array_map('intval', $product_one_img); // fix sql injection
$product_one_img = implode(',', $product_one_img); $product_one_img = implode(',', $product_one_img);
$result['product_one_img'] = $module->hookProductOneImg($product_one_img); $result['product_one_img'] = $module->hookProductOneImg($product_one_img);

17
modules/appagebuilder/appagebuilder.php
View File

@@ -1542,14 +1542,13 @@ class APPageBuilder extends Module implements WidgetInterface
} }
$product_id = implode(',', array_map('intval', $temp)); $product_id = implode(',', array_map('intval', $temp));
$where .= ' AND p.id_product '.(strpos($product_id, ',') === false ? '= '.(int)$product_id : 'IN ('.pSQL($product_id).')'); $where .= ' AND p.id_product '.(strpos($product_id, ',') === false ? '= '.(int)$product_id : 'IN ('.implode(', ', array_map('intval', explode(',', $product_id))).')');
} }
$value_by_manufacture = isset($params['value_by_manufacture']) ? $params['value_by_manufacture'] : 0; $value_by_manufacture = isset($params['value_by_manufacture']) ? $params['value_by_manufacture'] : 0;
if ($value_by_manufacture && isset($params['manufacture'])) { if ($value_by_manufacture && isset($params['manufacture'])) {
# We validate id_categories in apPageHelper::addonValidInt function. This function is used at any where $id_manufactures = apPageHelper::addonValidInt( $params['manufacture'] ); # We validate id_categories
$id_manufactures = apPageHelper::addonValidInt($params['manufacture']); $where .= ' AND p.id_manufacturer IN ('.implode(', ', array_map('intval', explode(',', $id_manufactures))).')';
$where .= ' AND p.id_manufacturer IN ('.pSQL($id_manufactures).')';
} }
$product_type = isset($params['product_type']) ? $params['product_type'] : ''; $product_type = isset($params['product_type']) ? $params['product_type'] : '';
$value_by_product_type = isset($params['value_by_product_type']) ? $params['value_by_product_type'] : 0; $value_by_product_type = isset($params['value_by_product_type']) ? $params['value_by_product_type'] : 0;
@@ -2901,7 +2900,7 @@ class APPageBuilder extends Module implements WidgetInterface
LEFT JOIN `'._DB_PREFIX_.'product_comment_grade` pcg ON (pcg.`id_product_comment` = pc.`id_product_comment`) LEFT JOIN `'._DB_PREFIX_.'product_comment_grade` pcg ON (pcg.`id_product_comment` = pc.`id_product_comment`)
LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion` pcc ON (pcc.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`) LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion` pcc ON (pcc.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`)
LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion_lang` pccl ON (pccl.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`) LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion_lang` pccl ON (pccl.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`)
WHERE pc.`id_product` in ('.pSQL($list_product).') WHERE pc.`id_product` in ('.implode(', ', array_map('intval', explode(',', $list_product))).')
AND pccl.`id_lang` = '.(int)$id_lang. AND pccl.`id_lang` = '.(int)$id_lang.
($validate == '1' ? ' AND pc.`validate` = 1' : ''))); ($validate == '1' ? ' AND pc.`validate` = 1' : '')));
} }
@@ -2920,7 +2919,7 @@ class APPageBuilder extends Module implements WidgetInterface
$result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS(' $result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS('
SELECT COUNT(pc.`id_product`) AS nbr, pc.`id_product` SELECT COUNT(pc.`id_product`) AS nbr, pc.`id_product`
FROM `'._DB_PREFIX_.'product_comment` pc FROM `'._DB_PREFIX_.'product_comment` pc
WHERE `id_product` in ('.pSQL($list_product).')'.($validate == '1' ? ' AND `validate` = 1' : '').' WHERE `id_product` in ('.implode(', ', array_map('intval', explode(',', $list_product))).')'.($validate == '1' ? ' AND `validate` = 1' : '').'
AND `grade` > 0 GROUP BY pc.`id_product`'); AND `grade` > 0 GROUP BY pc.`id_product`');
return $result; return $result;
} }
@@ -3064,7 +3063,7 @@ class APPageBuilder extends Module implements WidgetInterface
$link = new Link($protocol_link, $protocol_content); $link = new Link($protocol_link, $protocol_content);
$id_lang = Context::getContext()->language->id; $id_lang = Context::getContext()->language->id;
$where = ' WHERE i.`id_product` IN ('.pSQL($list_pro).') AND (ish.`cover`=0 OR ish.`cover` IS NULL) AND ish.`id_shop` = '.Context::getContext()->shop->id; $where = ' WHERE i.`id_product` IN ('.implode(', ', array_map('intval', explode(',', $list_pro))).') AND (ish.`cover`=0 OR ish.`cover` IS NULL) AND ish.`id_shop` = '.Context::getContext()->shop->id;
$order = ' ORDER BY i.`id_product`,`position`'; $order = ' ORDER BY i.`id_product`,`position`';
$limit = ' LIMIT 0,1'; $limit = ' LIMIT 0,1';
//get product info //get product info
@@ -3366,13 +3365,13 @@ class APPageBuilder extends Module implements WidgetInterface
AND sp.`reduction` > 0 AND sp.`reduction` > 0
) )
WHERE pl.`id_lang` = '.(int)$id_lang. WHERE pl.`id_lang` = '.(int)$id_lang.
' AND p.`id_product` in ('.pSQL($product_list).')'; ' AND p.`id_product` in ('.implode(', ', array_map('intval', explode(',', $product_list))).')';' AND p.`id_product` in ('.pSQL($product_list).')';
$result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS($sql); $result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS($sql);
if ($product_list) { if ($product_list) {
$tmp_img = array(); $tmp_img = array();
$cover_img = array(); $cover_img = array();
$where = ' WHERE i.`id_product` IN ('.pSQL($product_list).') AND ish.`id_shop` = '.Context::getContext()->shop->id; $where = ' WHERE i.`id_product` IN ('.implode(', ', array_map('intval', explode(',', $product_list))).') AND ish.`id_shop` = '.Context::getContext()->shop->id;
$order = ' ORDER BY i.`id_product`,`position`'; $order = ' ORDER BY i.`id_product`,`position`';
switch (Configuration::get('LEO_MINFO_SORT')) { switch (Configuration::get('LEO_MINFO_SORT')) {