From 2c032aca5c6bd445e12924d91a5d47c7e9e59bd6 Mon Sep 17 00:00:00 2001
From: Patrick Figel <pfigel@greenpeace.org>
Date: Fri, 5 Jul 2019 20:49:44 +0200
Subject: [PATCH] security/core#59 - Fix SQL injection in
 civicrm/ajax/dedupefind

This fixes an SQL injection in civicrm/ajax/dedupefind by validating
the order direction parameter.

Fixes #59
---
 CRM/Contact/Page/AJAX.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CRM/Contact/Page/AJAX.php b/CRM/Contact/Page/AJAX.php
index 3ac0326cf7..056b936901 100644
--- a/CRM/Contact/Page/AJAX.php
+++ b/CRM/Contact/Page/AJAX.php
@@ -724,7 +724,7 @@ LIMIT {$offset}, {$rowCount}
       foreach ($_REQUEST['order'] as $orderInfo) {
         if (!empty($orderInfo['column'])) {
           $orderColumnNumber = $orderInfo['column'];
-          $dir = $orderInfo['dir'];
+          $dir = CRM_Utils_Type::escape($orderInfo['dir'], 'MysqlOrderByDirection', FALSE);
         }
       }
       $columnDetails = CRM_Utils_Array::value($orderColumnNumber, $_REQUEST['columns']);
-- 
2.25.1