Only allow explicitly known order types through

This commit is contained in:
Hank Grabowski 2023-02-28 13:10:45 -05:00
parent f0b3864c7a
commit 13672bccf4

View file

@ -129,7 +129,18 @@ class BaseApi extends BaseModule
$condition = DBA::mergeConditions($condition, ["`uri-id` > ?", intval($request['min_id'])]); $condition = DBA::mergeConditions($condition, ["`uri-id` > ?", intval($request['min_id'])]);
} }
} else { } else {
$order_field = $requested_order; switch ($requested_order) {
case TimelineOrderByTypes::RECEIVED:
case TimelineOrderByTypes::CHANGED:
case TimelineOrderByTypes::EDITED:
case TimelineOrderByTypes::CREATED:
case TimelineOrderByTypes::COMMENTED:
$order_field = $requested_order;
break;
default:
throw new \Exception("Unrecognized request order: $requested_order");
}
if (!empty($request['max_id'])) { if (!empty($request['max_id'])) {
$condition = DBA::mergeConditions($condition, ["`$order_field` < ?", DateTimeFormat::convert($request['max_id'], DateTimeFormat::MYSQL)]); $condition = DBA::mergeConditions($condition, ["`$order_field` < ?", DateTimeFormat::convert($request['max_id'], DateTimeFormat::MYSQL)]);
} }