From bd5461abd0f434a0f7dfe6e6db49be0c28cea33d Mon Sep 17 00:00:00 2001
From: "bugreport%peshkin.net" <>
Date: Tue, 12 Nov 2002 08:43:34 +0000
Subject: Second installment of Bug 179260 Unknown table 'map_assigned_to' in
 order clause at globals.pl line 242 r=bbaetz a=justdave

---
 buglist.cgi | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'buglist.cgi')

diff --git a/buglist.cgi b/buglist.cgi
index a8f28fbd7..50873387e 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -528,12 +528,6 @@ if ($order) {
                     else {
                         ThrowCodeError("invalid_column_name_form");
                     }
-                } elsif (!grep($fragment =~ /^\Q$_\E(\s+(asc|desc))?$/, @selectnames)) {
-                    # Add order columns to selectnames
-                    # The fragment has already been validated
-                    $fragment =~ s/\s+(asc|desc)$//;
-                    trick_taint($fragment);
-                    push @selectnames, $fragment;
                 }
             }
             # Now that we have checked that all columns in the order are valid,
@@ -560,6 +554,16 @@ if ($order) {
         # DEFAULT
         $order = "bugs.bug_status, bugs.priority, map_assigned_to.login_name, bugs.bug_id";
     }
+    foreach my $fragment (split(/,/, $order)) {
+        $fragment = trim($fragment);
+        if (!grep($fragment =~ /^\Q$_\E(\s+(asc|desc))?$/, @selectnames)) {
+            # Add order columns to selectnames
+            # The fragment has already been validated
+            $fragment =~ s/\s+(asc|desc)$//;
+            $fragment =~ tr/a-zA-Z\.0-9\-_//cd;
+            push @selectnames, $fragment;
+        }
+    }
 
     $db_order = $order;  # Copy $order into $db_order for use with SQL query
 
-- 
cgit v1.2.3-24-g4f1b