search

FLEXIcontent / flexicontent-cck

Advanced content management for Joomla
http://www.flexicontent.org
82 stars 53 forks source link

Invalid `pageNum` parameter cause SQL errors and leak the DB server information #1015

Closed akunzai closed 3 years ago

akunzai commented 3 years ago

Steps to reproduce

$ curl 'https://www.example.test/components/com_flexicontent/tasks/core.php?task=txtautocomplete&type=basic_index&text=e&lang=&pageNum='
Error: Could not find template "xxx".: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '-20, 20' at line 1

$ curl 'https://www.example.test/components/com_flexicontent/tasks/core.php?task=txtautocomplete&type=basic_index&text=e&lang=&pageNum=-1'
Error: Could not find template "xxx".: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '-40, 20' at line 1

We should make sure the pageNum start with 1 to avoid SQL errors