View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005909 | Composr | core | public | 2024-09-05 02:39 | 2024-11-02 21:26 |
| Reporter | Patrick Schmalstig | Assigned To | Patrick Schmalstig | ||
| Severity | Major-bug | ||||
| Status | resolved | Resolution | fixed | ||
| Product Version | 11.beta4 | ||||
| Fixed in Version | |||||
| Summary | 0005909: Screens using main_multi_content may trigger ORDERBY_HACK | ||||
| Description | Screens which use main_multi_content (e.g. downloads, galleries) may trigger an ORDERBY_HACK. This is because these modules may have their own custom sorting columns which do not use the banal ones defined in sources/content.php . This gets passed in as a parameter into the main_multi_content block which is then read by handle_abstract_sorting and then triggers an ORDERBY_HACK . This effectively breaks anything using main_multi_content if the default sort order is set to a non-banal sort. Fixing this is beyond my complexity. Adding in the column names into allowed_sorts would fix the issue but introduce another bug where read_abstract_sorting_params is expected (by handle_abstract_sorting) to return a banal sort but instead returns an explicit column name. Furthermore, there may be cases where it is impossible to resolve without doing some big refactoring (e.g. downloads has a file_size sort which does not match any banal sorts nor is it defined as a content_meta_aware field). | ||||
| Additional Information | Temporary workaround: Comment line 901 out in sources/content.php "log_hack_attack_and_exit('ORDERBY_HACK');" (after "if (($strict_error) && (!in_array($url_sort, $banal_default_sorts))) {"). This will prevent false-positive ORDERBY_HACK errors and instead fall back to using the first acceptable sorting mechanism. | ||||
| Tags | Roadmap: v11 | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
| related to | 0005020 | non-assigned | Sorting by title in galleries fail |
|
|
Bumped to a major bug. This actually triggers a mass flood of ORDERBY_HACK attacks just for one request, so one request could cause a user to get banned. Probably a separate bug in of itself. |
|
|
Automated response: Screens using main_multi_content may trigger ORDERBY_HACK A fundamental issue with how Composr was handling sorting resulted in some sorts triggering ORDERBY_HACK when the relevant template utilised main_multi_content. This fix makes a major refactoring of how sorting is done: - content.php now also implements sorting capabilities on an abstract level for id, title, category, image, author, submitter, add date, edit date, views, and order fields. - Some fallback sorts have been defined, so if we attempt to sort on a field which is not allowed, and we are not triggering a hack attack for it, then we will fall back to something we can sort by. - Content and resource hooks now define a additional_sort_fields property. This is a map of sortable name to custom SQL (without direction) (null: name of sortable is a field, and we want to sort directly on that). Also supports mapping a sortable name to a map of ASC and DESC to define separate SQL for ASC sort versus DESC sort, or when the module itself handles sorting instead (value of each will be blank). - These have been added to codebook_standards Sortables on database rows which are not content nor resources shall not use this standard and shall continue to operate as they previously did in v10. However, standards now expect that names of sortables never contain raw SQL queries anymore (for security reasons). |
|
|
Fixed in Git commit e24d7ca3f718f89259023559bb1642de37635951 (https://gitlab.com/composr-foundation/composr/commit/e24d7ca3f718f89259023559bb1642de37635951 - link will become active once code pushed to GitLab) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-09-05 02:39 | Patrick Schmalstig | New Issue | |
| 2024-09-05 02:39 | Patrick Schmalstig | Status | non-assigned => assigned |
| 2024-09-05 02:39 | Patrick Schmalstig | Assigned To | => Chris Graham |
| 2024-09-05 02:44 | Patrick Schmalstig | Severity | Minor-bug => Major-bug |
| 2024-09-05 02:44 | Patrick Schmalstig | Note Added: 0009280 | |
| 2024-09-05 18:45 | Patrick Schmalstig | Tag Attached: Roadmap: v11 | |
| 2024-09-05 18:45 | Patrick Schmalstig | Relationship added | related to 0005020 |
