fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PMCORE-3014 Update the branches with release/3.6.4

Browse Source
This commit is contained in:
Roly Rudy Gutierrez Pinto
2021-05-10 22:46:35 -04:00
parent eeff71541c
commit af4d2ecf6c
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php
View File

@@ -100,6 +100,10 @@ class SqlBlacklist extends Parser
$signed = get_class($statement); $signed = get_class($statement);
foreach (Parser::$STATEMENT_PARSERS as $key => $value) { foreach (Parser::$STATEMENT_PARSERS as $key => $value) {
if ($signed === $value && in_array(strtoupper($key), $config['statements'])) { if ($signed === $value && in_array(strtoupper($key), $config['statements'])) {
//SHOW statement is a special case, it does not require a table name
if (strtoupper($key) === 'SHOW') {
throw new Exception(G::loadTranslation('ID_INVALID_QUERY'));
}
$notExecuteQuery = true; $notExecuteQuery = true;
break; break;
} }
@@ -116,13 +120,16 @@ class SqlBlacklist extends Parser
if ($key === 'table' && is_string($value)) { if ($key === 'table' && is_string($value)) {
$callback($value); $callback($value);
} }
if ($key === 'token' && is_string($value)) {
$callback($value);
}
} }
}; };
//verify system tables //verify system tables
$tables = $config['tables']; $tables = $config['tables'];
$fn($this->statements, function ($table) use ($tables) { $fn($this->statements, function ($table) use ($tables, $notExecuteQuery) {
if (in_array($table, $tables)) { if (in_array($table, $tables) && $notExecuteQuery) {
throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$table])); throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$table]));
} }
}); });