GitLab

In file interface/lib/classes/listform.inc.php on line 155:

$_SESSION['search'][$list_name][$search_prefix.$field] = $_REQUEST[$search_prefix.$field];

and below on line 184:

$sql_where .= " $field ".$i['op']." '".$i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix']."' and";

without input sanitization may causes function getSearchSQL() returning injected sql WHERE substring!

I put simple workaround under line 155:

if(preg_match("/['\\]/", $_SESSION['search'][$list_name][$search_prefix.$field])) $_SESSION['search'][$list_name][$search_prefix.$field] = '';