From d018f704c11eaca12d150b2258236e51f8b16751 Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 15 Jan 2026 21:28:03 +0000
Subject: [PATCH] Validate extra_where parameter in admin/security_center.php
 to prevent SQL injection

---
 admin/security_center.php | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/admin/security_center.php b/admin/security_center.php
index a289a52168..fc5ae73493 100644
--- a/admin/security_center.php
+++ b/admin/security_center.php
@@ -91,7 +91,25 @@
 
 if (isset($_GET['extra_where']) && $_GET['extra_where'] !== '')
 {
-  $where_clauses[] = $_GET['extra_where'];
+  $extra_where = trim($_GET['extra_where']);
+
+  // Only accept simple, safe conditions on the login attempts table (la).
+  // Allow comparisons like:
+  //   la.field = 'value'
+  //   la.field LIKE 'value%'
+  // and simple AND/OR chaining of those conditions.
+  // This rejects arbitrary SQL (UNION, JOIN, subqueries, comments, semicolons, etc.)
+  $clause_pattern = "/^\s*(?:la\\.[A-Za-z0-9_]+\\s*(?:=|!=|<>|<|>|<=|>=|LIKE)\\s*'[^']*'\\s*)(?:\\s+(?:AND|OR)\\s+(?:la\\.[A-Za-z0-9_]+\\s*(?:=|!=|<>|<|>|<=|>=|LIKE)\\s*'[^']*'\\s*))*$/i";
+
+  if (preg_match($clause_pattern, $extra_where))
+  {
+    $where_clauses[] = $extra_where;
+  }
+  else
+  {
+    // Unsafe extra_where ignored to prevent SQL injection attempts
+    $page['warnings'][] = l10n('Ignored unsafe filter parameter');
+  }
 }
 
 $where_sql = count($where_clauses) > 0 ? 'WHERE '.implode("\n  AND ", $where_clauses) : '';