MDL-71242 core_course: Validate the value of the sort argument

This change validates the value of the sort argument in course_get_recent_courses().
2025-04-15 05:25:08 +02:00 · 2021-05-12 17:46:31 +08:00 · 2021-05-12 17:46:31 +08:00 · 68c90578e7
commit 68c90578e7
parent 0afab1d0f9
1 changed files with 24 additions and 6 deletions
--- a/course/lib.php
+++ b/course/lib.php
@ -4736,21 +4736,39 @@ function course_get_recent_courses(int $userid = null, int $limit = 0, int $offs
        'showactivitydates', 'showcompletionconditions',
    ];

-    $sort = trim($sort);
    if (empty($sort)) {
        $sort = 'timeaccess DESC';
    } else {
+        // The SQL string for sorting can define sorting by multiple columns.
        $rawsorts = explode(',', $sort);
        $sorts = array();
+        // Validate and trim the sort parameters in the SQL string for sorting.
        foreach ($rawsorts as $rawsort) {
-            $rawsort = trim($rawsort);
-            $sorts[] = trim($rawsort);
+            $sort = trim($rawsort);
+            $sortparams = explode(' ', $sort);
+            // A valid sort statement can not have more than 2 params (ex. 'summary desc' or 'timeaccess').
+            if (count($sortparams) > 2) {
+                throw new invalid_parameter_exception(
+                    'Invalid structure of the sort parameter, allowed structure: fieldname [ASC|DESC].');
+            }
+            $sortfield = trim($sortparams[0]);
+            // Validate the value which defines the field to sort by.
+            if (!in_array($sortfield, $basefields)) {
+                throw new invalid_parameter_exception('Invalid field in the sort parameter, allowed fields: ' .
+                    implode(', ', $basefields) . '.');
+            }
+            $sortdirection = isset($sortparams[1]) ? trim($sortparams[1]) : '';
+            // Validate the value which defines the sort direction (if present).
+            $allowedsortdirections = ['asc', 'desc'];
+            if (!empty($sortdirection) && !in_array(strtolower($sortdirection), $allowedsortdirections)) {
+                throw new invalid_parameter_exception('Invalid sort direction in the sort parameter, allowed values: ' .
+                    implode(', ', $allowedsortdirections) . '.');
+            }
+            $sorts[] = $sort;
        }
        $sort = implode(',', $sorts);
    }

-    $orderby = "ORDER BY $sort";
-
    $ctxfields = context_helper::get_preload_record_columns_sql('ctx');

    $coursefields = 'c.' . join(',', $basefields);
@ -4783,7 +4801,7 @@ function course_get_recent_courses(int $userid = null, int $limit = 0, int $offs
                              AND ue.timestart < :now1
                              AND (ue.timeend = 0 OR ue.timeend > :now2)
                          ))
-            $orderby";
+          ORDER BY $sort";

    $now = round(time(), -2); // Improves db caching.
    $params = ['userid' => $userid, 'contextlevel' => CONTEXT_COURSE, 'visible' => 1, 'status' => ENROL_USER_ACTIVE,