5909: Screens using main_multi_content may trigger ORDERBY_HACK - Composr CMS feature tracker

ID	Project	Category	View Status	Date Submitted	Last Update

5909	Composr	core	public	2024-09-05 02:39	2024-11-02 21:26

Reporter	PDStig	Assigned To	PDStig
Priority	normal	Severity	major
Status	resolved	Resolution	fixed
Product Version	11.beta4

Summary	5909: Screens using main_multi_content may trigger ORDERBY_HACK
Description	Screens which use main_multi_content (e.g. downloads, galleries) may trigger an ORDERBY_HACK. This is because these modules may have their own custom sorting columns which do not use the banal ones defined in sources/content.php . This gets passed in as a parameter into the main_multi_content block which is then read by handle_abstract_sorting and then triggers an ORDERBY_HACK . This effectively breaks anything using main_multi_content if the default sort order is set to a non-banal sort. Fixing this is beyond my complexity. Adding in the column names into allowed_sorts would fix the issue but introduce another bug where read_abstract_sorting_params is expected (by handle_abstract_sorting) to return a banal sort but instead returns an explicit column name. Furthermore, there may be cases where it is impossible to resolve without doing some big refactoring (e.g. downloads has a file_size sort which does not match any banal sorts nor is it defined as a content_meta_aware field).
Additional Information	Temporary workaround: Comment line 901 out in sources/content.php "log_hack_attack_and_exit('ORDERBY_HACK');" (after "if (($strict_error) && (!in_array($url_sort, $banal_default_sorts))) {"). This will prevent false-positive ORDERBY_HACK errors and instead fall back to using the first acceptable sorting mechanism.
Tags	Roadmap: v11
Attach Tags	(Separate by ",")

Time estimation (hours)
Sponsorship open

Date Added	Member	Amount Sponsored

PDStig 2024-09-05 02:44 administrator ~9280	Bumped to a major bug. This actually triggers a mass flood of ORDERBY_HACK attacks just for one request, so one request could cause a user to get banned. Probably a separate bug in of itself.

admin 2024-11-02 21:26 administrator ~9554	Automated response: Screens using main_multi_content may trigger ORDERBY_HACK A fundamental issue with how Composr was handling sorting resulted in some sorts triggering ORDERBY_HACK when the relevant template utilised main_multi_content. This fix makes a major refactoring of how sorting is done: - content.php now also implements sorting capabilities on an abstract level for id, title, category, image, author, submitter, add date, edit date, views, and order fields. - Some fallback sorts have been defined, so if we attempt to sort on a field which is not allowed, and we are not triggering a hack attack for it, then we will fall back to something we can sort by. - Content and resource hooks now define a additional_sort_fields property. This is a map of sortable name to custom SQL (without direction) (null: name of sortable is a field, and we want to sort directly on that). Also supports mapping a sortable name to a map of ASC and DESC to define separate SQL for ASC sort versus DESC sort, or when the module itself handles sorting instead (value of each will be blank). - These have been added to codebook_standards Sortables on database rows which are not content nor resources shall not use this standard and shall continue to operate as they previously did in v10. However, standards now expect that names of sortables never contain raw SQL queries anymore (for security reasons).

admin 2024-11-02 21:26 administrator ~9555	Fixed in Git commit e24d7ca3f718f89259023559bb1642de37635951 (https://gitlab.com/composr-foundation/composr/commit/e24d7ca3f718f89259023559bb1642de37635951 - link will become active once code pushed to GitLab)

Date Modified	Username	Field	Change
2024-09-05 02:39	PDStig	New Issue
2024-09-05 02:39	PDStig	Status	Not Assigned => Assigned
2024-09-05 02:39	PDStig	Assigned To	=> Chris Graham
2024-09-05 02:44	PDStig	Severity	Minor Bug => Major Bug
2024-09-05 02:44	PDStig	Note Added: 0009280
2024-09-05 18:45	PDStig	Tag Attached: Roadmap: v11
2024-09-05 18:45	PDStig	Relationship added	related to 5020