From 5d466ff01e534d8f047d702cc4b195d34bcef17c Mon Sep 17 00:00:00 2001
From: Nigel Horne <njh@bandsman.co.uk>
Date: Mon, 1 Apr 2024 05:41:01 -0700
Subject: [PATCH] Block "/**/ORDER/**/BY/**/" in the argument

---
 Changes         | 1 +
 lib/CGI/Info.pm | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Changes b/Changes
index 21c3136..e0fbca8 100644
--- a/Changes
+++ b/Changes
@@ -5,6 +5,7 @@ Revision history for CGI-Info
 	Added t/version.t
 	Added t/tabs.t
 	Mark ias_crawler and ZoominfoBot as robots
+	Block "/**/ORDER/**/BY/**/" in the argument
 
 0.80	Fri Jan 19 08:05:29 EST 2024
 	Added documentroot() as a synonym to rootdir()
diff --git a/lib/CGI/Info.pm b/lib/CGI/Info.pm
index aa4f7b0..a856240 100644
--- a/lib/CGI/Info.pm
+++ b/lib/CGI/Info.pm
@@ -757,6 +757,7 @@ sub params {
 			   ($value =~ /((\%27)|(\'))union/ix) ||
 			   ($value =~ /select[[a-z]\s\*]from/ix) ||
 			   ($value =~ /\sAND\s1=1/ix) ||
+			   ($value =~ /\/\*\*\/ORDER\/\*\*\/BY\/\*\*/ix) ||
 			   ($value =~ /exec(\s|\+)+(s|x)p\w+/ix)) {
 				if($self->{logger}) {
 					if($ENV{'REMOTE_ADDR'}) {