Origin: vendor
Forwarded: not-needed
From: Gunnar Wolf <gwolf@debian.org>
Last-Update: 2014-11-21
Description: Fixes Drupal issue #829464
 Security improvement: Made the database API's orderBy() method sanitize the
 sort direction ("ASC" or "DESC") for queries built with db_select(), so that
 calling code does not have to.
 .
 Backported from 7.33.
Index: drupal7/includes/database/select.inc
===================================================================
--- drupal7.orig/includes/database/select.inc
+++ drupal7/includes/database/select.inc
@@ -377,7 +377,8 @@ interface SelectQueryInterface extends Q
    * @param $field
    *   The field on which to order.
    * @param $direction
-   *   The direction to sort. Legal values are "ASC" and "DESC".
+   *   The direction to sort. Legal values are "ASC" and "DESC". Any other value
+   *   will be converted to "ASC".
    * @return SelectQueryInterface
    *   The called object.
    */
@@ -1384,6 +1385,8 @@ class SelectQuery extends Query implemen
   }
 
   public function orderBy($field, $direction = 'ASC') {
+    // Only allow ASC and DESC, default to ASC.
+    $direction = strtoupper($direction) == 'DESC' ? 'DESC' : 'ASC';
     $this->order[$field] = $direction;
     return $this;
   }
Index: drupal7/includes/tablesort.inc
===================================================================
--- drupal7.orig/includes/tablesort.inc
+++ drupal7/includes/tablesort.inc
@@ -46,10 +46,9 @@ class TableSort extends SelectQueryExten
       // Based on code from db_escape_table(), but this can also contain a dot.
       $field = preg_replace('/[^A-Za-z0-9_.]+/', '', $ts['sql']);
 
-      // Sort order can only be ASC or DESC.
-      $sort = drupal_strtoupper($ts['sort']);
-      $sort = in_array($sort, array('ASC', 'DESC')) ? $sort : '';
-      $this->orderBy($field, $sort);
+      // orderBy() will ensure that only ASC/DESC values are accepted, so we
+      // don't need to sanitize that here.
+      $this->orderBy($field, $ts['sort']);
     }
     return $this;
   }
Index: drupal7/modules/simpletest/tests/database_test.test
===================================================================
--- drupal7.orig/modules/simpletest/tests/database_test.test
+++ drupal7/modules/simpletest/tests/database_test.test
@@ -1947,6 +1947,15 @@ class DatabaseSelectOrderedTestCase exte
 
     $this->assertEqual($num_records, 4, 'Returned the correct number of rows.');
   }
+
+  /**
+   * Tests that the sort direction is sanitized properly.
+   */
+  function testOrderByEscaping() {
+    $query = db_select('test')->orderBy('name', 'invalid direction');
+    $order_bys = $query->getOrderBy();
+    $this->assertEqual($order_bys['name'], 'ASC', 'Invalid order by direction is converted to ASC.');
+  }
 }
 
 /**
