Make formatOrderClause() safer

Summary:
Ref T7803. Instead of trusting subqueries to provide safe values, escape them explicitly.

(We'll probably have a few cases somewhere where this doesn't work, but can make them the exception rather than the rule.)

Test Plan: Issued all "order" queries in Diffusion.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7803

Differential Revision: https://secure.phabricator.com/D12351

src/applications/repository/query/PhabricatorRepositoryQuery.php

@@ -304,24 +304,28 @@ final class PhabricatorRepositoryQuery
         break;
       case self::ORDER_COMMITTED:
         $parts[] = array(
-          'name' => 's.epoch',
+          'table' => 's',
+          'column' => 'epoch',
         );
         break;
       case self::ORDER_CALLSIGN:
         $parts[] = array(
-          'name' => 'r.callsign',
+          'table' => 'r',
+          'column' => 'callsign',
           'reverse' => true,
         );
         break;
       case self::ORDER_NAME:
         $parts[] = array(
-          'name' => 'r.name',
+          'table' => 'r',
+          'column' => 'name',
           'reverse' => true,
         );
         break;
       case self::ORDER_SIZE:
         $parts[] = array(
-          'name' => 's.size',
+          'table' => 's',
+          'column' => 'size',
         );
         break;
       default:
@@ -329,7 +333,8 @@ final class PhabricatorRepositoryQuery
     }
 
     $parts[] = array(
-      'name' => 'r.id',
+      'table' => 'r',
+      'column' => 'id',
     );
 
     return $this->formatOrderClause($conn, $parts);

src/infrastructure/query/policy/PhabricatorCursorPagedPolicyAwareQuery.php

@@ -310,12 +310,21 @@ abstract class PhabricatorCursorPagedPolicyAwareQuery
         $descending = !$descending;
       }
 
-      $name = $part['name'];
+      $table = idx($part, 'table');
+      $column = $part['column'];
 
       if ($descending) {
-        $sql[] = qsprintf($conn, '%Q DESC', $name);
+        if ($table !== null) {
+          $sql[] = qsprintf($conn, '%T.%T DESC', $table, $column);
+        } else {
+          $sql[] = qsprintf($conn, '%T DESC', $column);
+        }
       } else {
-        $sql[] = qsprintf($conn, '%Q ASC', $name);
+        if ($table !== null) {
+          $sql[] = qsprintf($conn, '%T.%T ASC', $table, $column);
+        } else {
+          $sql[] = qsprintf($conn, '%T ASC', $column);
+        }
       }
     }