Merge pull request from GHSA-5v44-7647-xfw9

Cast ids into int
PrestaShop · Dec 3, 2020 · 7c2033d · 7c2033d
2 parents 3a2601f + 6d80c77
commit 7c2033d
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 5 deletions.
diff --git a/controllers/front/CommentGrade.php b/controllers/front/CommentGrade.php
@@ -38,6 +38,8 @@ public function display()
             return $this->ajaxRender(null);
         }
 
+        $idProducts = array_unique(array_map('intval', $idProducts));
+
         $productCommentRepository = $this->context->controller->getContainer()->get('product_comment_repository');
 
         $productsCommentsNb = $productCommentRepository->getCommentsNumberForProducts($idProducts, Configuration::get('PRODUCT_COMMENTS_MODERATE'));

diff --git a/controllers/front/ListComments.php b/controllers/front/ListComments.php
@@ -29,8 +29,8 @@ class ProductCommentsListCommentsModuleFrontController extends ModuleFrontContro
 {
     public function display()
     {
-        $idProduct = Tools::getValue('id_product');
-        $page = Tools::getValue('page', 1);
+        $idProduct = (int) Tools::getValue('id_product');
+        $page = (int) Tools::getValue('page', 1);
         $isLastNameAnynomus = Configuration::get('PRODUCT_COMMENTS_ANONYMISATION');
         /** @var ProductCommentRepository $productCommentRepository */
         $productCommentRepository = $this->context->controller->getContainer()->get('product_comment_repository');

diff --git a/productcomments.php b/productcomments.php
@@ -178,7 +178,7 @@ protected function _postProcess()
             $comment->delete();
         } elseif (Tools::isSubmit('submitEditCriterion')) {
             $criterion = new ProductCommentCriterion((int) Tools::getValue('id_product_comment_criterion'));
-            $criterion->id_product_comment_criterion_type = Tools::getValue('id_product_comment_criterion_type');
+            $criterion->id_product_comment_criterion_type = (int) Tools::getValue('id_product_comment_criterion_type');
             $criterion->active = Tools::getValue('active');
 
             $languages = Language::getLanguages();

diff --git a/src/Repository/ProductCommentRepository.php b/src/Repository/ProductCommentRepository.php
@@ -179,7 +179,7 @@ public function getAverageGrades(array $productIds, $validatedOnly)
         $count = count($productIds);
 
         foreach ($productIds as $index => $id) {
-            $esqID = pSQL($id);
+            $esqID = (int) $id;
 
             $sql .= ' SUM(IF(id_product = ' . $esqID . ' AND deleted = 0';
             if ($validatedOnly) {
@@ -247,7 +247,7 @@ public function getCommentsNumberForProducts(array $productIds, $validatedOnly)
         $count = count($productIds);
 
         foreach ($productIds as $index => $id) {
-            $esqID = pSQL($id);
+            $esqID = (int) $id;
 
             $sql .= ' SUM(IF(id_product = ' . $esqID . ' AND deleted = 0';
             if ($validatedOnly) {