Opened 11 years ago

Last modified 10 years ago

#11027 closed defect

Cross-db compatibility issues and possibility of SQL injection — at Initial Version

Reported by: Ryan J Ollos Owned by: Chris Nelson
Priority: high Component: TracJsGanttPlugin
Severity: major Keywords:
Cc: Steffen Hoffmann Trac Release:

Description

As Steffen pointed out in the mailing list thread, the plugin doesn't follow the Trac guidelines for SQL statements, as described in t:TracDev/DatabaseApi#GuidelinesforSQLStatements. This will result in cross-db compatibility issues and the possibility of SQL injection.

Here is an example fix (untested, as I don't understand the plugin well enough to execute this pathway or write a test):

  • tracjsganttplugin/0.11/tracjsgantt/tracpm.py 

    diff --git a/tracjsganttplugin/0.11/tracjsgantt/tracpm.py b/tracjsganttplugin/0.
index 0f0c4ba..d5a90d7 100644
    a b class TicketRescheduler(Component): 
    29042904                            values.append(t['id'])
    29052905                            values.append(to_utimestamp(self.pm.start(t)))
    29062906                            values.append(to_utimestamp(self.pm.finish(t)))
    2907                     cursor.execute('INSERT INTO schedule' + \
    2908                                        ' (ticket, start, finish)' + \
    2909                                        ' VALUES %s' % valuesClause,
    2910                                    values)
    2911 
     2907                    cursor.execute("""
     2908                        INSERT INTO schedule (ticket, start, finish)
     2909                        VALUES %%s""" % valuesClause, values)
    29122910
    29132911                    # Finally, add history records to schedule_change
    29142912                    # for newly scheduled tickets.

Change History (0)

Note: See TracTickets for help on using tickets.