Merged in bugfix/PMCORE-3014 (pull request #7925)

PMCORE-3014 Update the branches with release/3.6.4 Approved-by: Julio Cesar Laura Avendaño
2021-05-11 13:07:56 +00:00
parent e9c1bef6c5 af4d2ecf6c
commit 501fb65392
1 changed files with 9 additions and 2 deletions
--- a/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php
+++ b/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php
@@ -100,6 +100,10 @@ class SqlBlacklist extends Parser
            $signed = get_class($statement);
            foreach (Parser::$STATEMENT_PARSERS as $key => $value) {
                if ($signed === $value && in_array(strtoupper($key), $config['statements'])) {
+                    //SHOW statement is a special case, it does not require a table name
+                    if (strtoupper($key) === 'SHOW') {
+                        throw new Exception(G::loadTranslation('ID_INVALID_QUERY'));
+                    }
                    $notExecuteQuery = true;
                    break;
                }
@@ -116,13 +120,16 @@ class SqlBlacklist extends Parser
                if ($key === 'table' && is_string($value)) {
                    $callback($value);
                }
+                if ($key === 'token' && is_string($value)) {
+                    $callback($value);
+                }
            }
        };

        //verify system tables
        $tables = $config['tables'];
-        $fn($this->statements, function ($table) use ($tables) {
-            if (in_array($table, $tables)) {
+        $fn($this->statements, function ($table) use ($tables, $notExecuteQuery) {
+            if (in_array($table, $tables) && $notExecuteQuery) {
                throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$table]));
            }
        });