From: Hank Grabowski <hankgrabowski@gmail.com>
Date: Tue, 28 Feb 2023 18:10:45 +0000 (-0500)
Subject: Only allow explicitly known order types through
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;ds=sidebyside;h=13672bccf4022edfdfdbef8ff490345e8e73c3d8;p=friendica.git

Only allow explicitly known order types through
---

diff --git a/src/Module/BaseApi.php b/src/Module/BaseApi.php
index bfcb95eb2e..2be5c246a2 100644
--- a/src/Module/BaseApi.php
+++ b/src/Module/BaseApi.php
@@ -129,7 +129,18 @@ class BaseApi extends BaseModule
 				$condition = DBA::mergeConditions($condition, ["`uri-id` > ?", intval($request['min_id'])]);
 			}
 		} else {
-			$order_field = $requested_order;
+			switch ($requested_order) {
+				case TimelineOrderByTypes::RECEIVED:
+				case TimelineOrderByTypes::CHANGED:
+				case TimelineOrderByTypes::EDITED:
+				case TimelineOrderByTypes::CREATED:
+				case TimelineOrderByTypes::COMMENTED:
+					$order_field = $requested_order;
+					break;
+				default:
+					throw new \Exception("Unrecognized request order: $requested_order");
+			}
+
 			if (!empty($request['max_id'])) {
 				$condition = DBA::mergeConditions($condition, ["`$order_field` < ?", DateTimeFormat::convert($request['max_id'], DateTimeFormat::MYSQL)]);
 			}