From af4d2ecf6ce12338beff5be54e1d8a253d0be250 Mon Sep 17 00:00:00 2001 From: Roly Rudy Gutierrez Pinto Date: Mon, 10 May 2021 22:46:35 -0400 Subject: [PATCH] PMCORE-3014 Update the branches with release/3.6.4 --- .../src/ProcessMaker/Validation/SqlBlacklist.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php b/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php index 6ebd17a96..b1fd7856e 100644 --- a/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php +++ b/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php @@ -100,6 +100,10 @@ class SqlBlacklist extends Parser $signed = get_class($statement); foreach (Parser::$STATEMENT_PARSERS as $key => $value) { if ($signed === $value && in_array(strtoupper($key), $config['statements'])) { + //SHOW statement is a special case, it does not require a table name + if (strtoupper($key) === 'SHOW') { + throw new Exception(G::loadTranslation('ID_INVALID_QUERY')); + } $notExecuteQuery = true; break; } @@ -116,13 +120,16 @@ class SqlBlacklist extends Parser if ($key === 'table' && is_string($value)) { $callback($value); } + if ($key === 'token' && is_string($value)) { + $callback($value); + } } }; //verify system tables $tables = $config['tables']; - $fn($this->statements, function ($table) use ($tables) { - if (in_array($table, $tables)) { + $fn($this->statements, function ($table) use ($tables, $notExecuteQuery) { + if (in_array($table, $tables) && $notExecuteQuery) { throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$table])); } });