Merge pull request #4473 from magento-arcticfoxes/MC-17310

Joan He · web-flow · commit bbbbe684e4e2 · 2019-07-15T13:55:15.000-05:00
[arcticfoxes] Bug Fixes
diff --git a/app/code/Magento/Rule/Model/Condition/Sql/Builder.php b/app/code/Magento/Rule/Model/Condition/Sql/Builder.php
@@ -140,9 +140,11 @@ protected function _getMappedSqlCondition(AbstractCondition $condition, $value =
     {
         $argument = $condition->getMappedSqlField();
 
-        // If rule hasn't valid argument - create negative expression to prevent incorrect rule behavior.
+        // If rule hasn't valid argument - prevent incorrect rule behavior.
         if (empty($argument)) {
             return $this->_expressionFactory->create(['expression' => '1 = -1']);
+        } elseif (preg_match('/[^a-z0-9\-_\.\`]/i', $argument) > 0) {
+            throw new \Magento\Framework\Exception\LocalizedException(__('Invalid field'));
         }
 
         $conditionOperator = $condition->getOperatorForValidate();
@@ -183,6 +185,7 @@ protected function _getMappedSqlCondition(AbstractCondition $condition, $value =
      * @param bool $isDefaultStoreUsed
      * @return string
      * @SuppressWarnings(PHPMD.NPathComplexity)
+     * @throws \Magento\Framework\Exception\LocalizedException
      */
     protected function _getMappedSqlCombination(Combine $combine, $value = '', $isDefaultStoreUsed = true)
     {

Original file line number	Diff line number	Diff line change
`@@ -140,9 +140,11 @@ protected function _getMappedSqlCondition(AbstractCondition $condition, $value =`
`140`	`140`	`{`
`141`	`141`	`$argument = $condition->getMappedSqlField();`
`142`	`142`
`143`		`- // If rule hasn't valid argument - create negative expression to prevent incorrect rule behavior.`
	`143`	`+ // If rule hasn't valid argument - prevent incorrect rule behavior.`
`144`	`144`	`if (empty($argument)) {`
`145`	`145`	`return $this->_expressionFactory->create(['expression' => '1 = -1']);`
	`146`	+ } elseif (preg_match('/[^a-z0-9\-_\.\`]/i', $argument) > 0) {
	`147`	`+ throw new \Magento\Framework\Exception\LocalizedException(__('Invalid field'));`
`146`	`148`	`}`
`147`	`149`
`148`	`150`	`$conditionOperator = $condition->getOperatorForValidate();`
`@@ -183,6 +185,7 @@ protected function _getMappedSqlCondition(AbstractCondition $condition, $value =`
`183`	`185`	`* @param bool $isDefaultStoreUsed`
`184`	`186`	`* @return string`
`185`	`187`	`* @SuppressWarnings(PHPMD.NPathComplexity)`
	`188`	`+ * @throws \Magento\Framework\Exception\LocalizedException`
`186`	`189`	`*/`
`187`	`190`	`protected function _getMappedSqlCombination(Combine $combine, $value = '', $isDefaultStoreUsed = true)`
`188`	`191`	`{`