Merge pull request #295 from matomo-org/resolve-aikido-12726180

AltamashShaikh · web-flow · commit 178eb7befb26 · 2025-09-01T08:58:40.000+05:30
Code to resolved Aikido reported issue: 12726180
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 5.1.3 - 2025-09-01
 - Add support for Sentinel password
+- Security hardening
 
 5.1.2 - 2025-07-07
 - Textual changes
diff --git a/Queue/Backend/MySQL.php b/Queue/Backend/MySQL.php
@@ -99,7 +99,7 @@ public function appendValuesToList($key, $values)
     {
         $table = $this->makePrefixedKeyListTableName($key);
 
-        $query = sprintf('INSERT INTO %s (`list_value`) VALUES (?)', $table);
+        $query = sprintf('INSERT INTO `%s` (`list_value`) VALUES (?)', $table);
         foreach ($values as $value) {
             if (empty($value)) {
                 continue;
@@ -143,7 +143,7 @@ public function getFirstXValuesFromList($key, $numValues)
         }
 
         $table = $this->makePrefixedKeyListTableName($key);
-        $sql = sprintf('SELECT SQL_NO_CACHE list_value FROM %s ORDER BY idqueuelist ASC LIMIT %d OFFSET 0', $table, (int)$numValues);
+        $sql = sprintf('SELECT SQL_NO_CACHE list_value FROM `%s` ORDER BY idqueuelist ASC LIMIT %d OFFSET 0', $table, (int)$numValues);
 
         try {
             $values = Db::fetchAll($sql);
@@ -172,7 +172,7 @@ public function hasAtLeastXRequestsQueued($key, $numValuesRequired)
         }
 
         $table = $this->makePrefixedKeyListTableName($key);
-        $sql = sprintf('SELECT SQL_NO_CACHE idqueuelist FROM %s LIMIT %d', $table, (int)$numValuesRequired);
+        $sql = sprintf('SELECT SQL_NO_CACHE idqueuelist FROM `%s` LIMIT %d', $table, (int)$numValuesRequired);
 
         try {
             $values = Db::fetchAll($sql);
@@ -194,7 +194,7 @@ public function removeFirstXValuesFromList($key, $numValues)
         }
 
         $table = $this->makePrefixedKeyListTableName($key);
-        $sql = sprintf('DELETE FROM %s ORDER BY idqueuelist ASC LIMIT %d', $table, (int)$numValues);
+        $sql = sprintf('DELETE FROM `%s` ORDER BY idqueuelist ASC LIMIT %d', $table, (int)$numValues);
 
         try {
             Db::query($sql);
@@ -210,7 +210,7 @@ public function removeFirstXValuesFromList($key, $numValues)
     public function getNumValuesInList($key)
     {
         $table = $this->makePrefixedKeyListTableName($key);
-        $sql = sprintf('SELECT SQL_NO_CACHE max(idqueuelist) - min(idqueuelist) as num_entries FROM %s', $table);
+        $sql = sprintf('SELECT SQL_NO_CACHE max(idqueuelist) - min(idqueuelist) as num_entries FROM `%s`', $table);
         try {
             $value = Db::fetchOne($sql);
             if ($value === null || $value === false) {
