From 32afb13b397dfbdc6dbee2f218d6a7e9b7e5f98a Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Thu, 23 Feb 2023 09:24:56 -0500
Subject: [PATCH] Sanitise attr input in FilterTerm to prefent SQL Injection. 
 Fixes GHSA-222j-wh8m-xjrx

---
 web/includes/FilterTerm.php | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/web/includes/FilterTerm.php b/web/includes/FilterTerm.php
index a90905463..da85f9e5d 100644
--- a/web/includes/FilterTerm.php
+++ b/web/includes/FilterTerm.php
@@ -1,5 +1,4 @@
 <?php
-
 namespace ZM;
 $validConjunctionTypes = null;
 
@@ -13,7 +12,6 @@ function getFilterQueryConjunctionTypes() {
   return $validConjunctionTypes;
 }
 
-
 class FilterTerm {
   public $filter;
   public $index;
@@ -25,7 +23,6 @@ class FilterTerm {
   public $obr;
   public $cbr;
 
-
   public function __construct($filter = null, $term = null, $index=0) {
     $this->filter = $filter;
     $validConjunctionTypes = getFilterQueryConjunctionTypes();
@@ -33,6 +30,8 @@ class FilterTerm {
     $this->index = $index;
     if ($term) {
       $this->attr = isset($term['attr']) ? $term['attr'] : '';
+      $this->attr = preg_replace('/[^A-Za-z0-9\.]/', '', $this->attr, -1, $count);
+      if ($count) Error("Invalid characters removed from filter attr ${term['attr']}, possible hacking attempt.");
       $this->op = $term['op'];
       $this->val = $term['val'];
       if ( isset($term['cnj']) ) {
@@ -72,7 +71,7 @@ class FilterTerm {
   public function sql_values() {
     $values = array();
     if ( !isset($this->val) ) {
-      Warning('No value in term'.$this->attr);
+      Warning('No value in term '.$this->attr);
       return $values;
     }
 
@@ -80,7 +79,6 @@ class FilterTerm {
     foreach ( $vals as $value ) {
       $value_upper = strtoupper($value);
       switch ( $this->attr ) {
-
       case 'AlarmedZoneId':
         $value = '(SELECT * FROM Stats WHERE EventId=E.Id AND ZoneId='.$value.' AND Score > 0 LIMIT 1)';
         break;
@@ -91,7 +89,6 @@ class FilterTerm {
         $value = '';
         break;
       case 'MonitorName':
-      case 'MonitorName':
       case 'Name':
       case 'Cause':
       case 'Notes':