Bug 149845 - buglist.cgi checks for ORDER validity are wrong

author bbaetz%student.usyd.edu.au <>

Sat, 8 Jun 2002 10:05:30 +0000 (10:05 +0000)

committer bbaetz%student.usyd.edu.au <>

Sat, 8 Jun 2002 10:05:30 +0000 (10:05 +0000)
author bbaetz%student.usyd.edu.au <>
Sat, 8 Jun 2002 10:05:30 +0000 (10:05 +0000)
committer bbaetz%student.usyd.edu.au <>
Sat, 8 Jun 2002 10:05:30 +0000 (10:05 +0000)
diff --git a/buglist.cgi b/buglist.cgi

index 917103fc225a592d10c21c0e26b5b4da6559083a..4656fc42a1a5599842cfc924496669f4fdf097d5 100755 (executable)
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -1309,11 +1309,13 @@ if ($order) {
      # by which to sort the results.
      ORDER: for ($order) {
          /\./ && do {
+            my @columnnames = map($columns->{lc($_)}->{'name'}, keys(%$columns));
              # A custom list of columns.  Make sure each column is valid.
-            foreach my $fragment (split(/[,\s]+/, $order)) {
-                next if $fragment =~ /^asc|desc$/i;
-                my @columnnames = map($columns->{lc($_)}->{'name'}, keys(%$columns));
-                if (!grep($_ eq $fragment, @columnnames)) {
+            foreach my $fragment (split(/,/, $order)) {
+                $fragment = trim($fragment);
+                # Accept an order fragment matching a column name, with
+                # asc|desc optionally following (to specify the direction)
+                if (!grep($fragment =~ /^\Q$_\E(\s+(asc|desc))?$/, @columnnames)) {
                      my $qfragment = html_quote($fragment);
                      my $error = "The custom sort order you specified in your "
                                . "form submission contains an invalid column "
author	bbaetz%student.usyd.edu.au <>
	Sat, 8 Jun 2002 10:05:30 +0000 (10:05 +0000)
committer	bbaetz%student.usyd.edu.au <>
	Sat, 8 Jun 2002 10:05:30 +0000 (10:05 +0000)