Only allow Events Columns for sort. Fixes GHSA-2qp3-fwpv-mc96. Fixes GHSA-9cmr-7437-v9fj

web/ajax/watch.php

@@ -46,14 +46,32 @@ $order = (isset($_REQUEST['order']) and (strtolower($_REQUEST['order']) == 'asc'
 // MAIN LOOP
 //
 
+// The names of the dB columns in the events table we are interested in
+$columns = array('Id', 'MonitorId', 'StorageId', 'Name', 'Cause', 'StartDateTime', 'EndDateTime', 'Length', 'Frames', 'AlarmFrames', 'TotScore', 'AvgScore', 'MaxScore', 'Archived', 'Emailed', 'Notes', 'DiskSpace');
+
+if ( $sort != 'Id' ) {
+  if (!in_array($sort, $columns)) {
+    ZM\Error('Invalid sort field: ' . $sort);
+    $sort = 'Id';
+  } else if ($sort == 'EndDateTime') {
+    if ($order == 'ASC') {
+      $sort = 'E.EndDateTime IS NULL, E.EndDateTime';
+    } else {
+      $sort = 'E.EndDateTime IS NOT NULL, E.EndDateTime';
+    }
+  } else {
+    $sort = 'E.'.$sort;
+  }
+}
 $where = 'WHERE MonitorId = '.$mid;
 $col_str = 'E.*';
 $sql = 'SELECT ' .$col_str. ' FROM `Events` AS E '.$where.' ORDER BY '.$sort.' '.$order. ' LIMIT ?';
 ZM\Debug('Calling the following sql query: ' .$sql);
 $rows = dbQuery($sql, array($limit));
-
 $returned_rows = array();
-foreach ( $rows as $row ) {
+
+if ($rows) {
+  foreach ( $rows as $row ) {
     $event = new ZM\Event($row['Id']);
 
     $scale = intval(5*100*ZM_WEB_LIST_THUMB_WIDTH / $event->Width());
@@ -69,7 +87,8 @@ foreach ( $rows as $row ) {
     $row['Length'] = gmdate('H:i:s', intval($row['Length']));
 
     $returned_rows[] = $row;
-} # end foreach row matching search
+  } # end foreach row matching search
+}
 
 $data['rows'] = $returned_rows;
 ajaxResponse($data);