Opened 11 years ago
Last modified 10 years ago
#11027 closed defect
Cross-db compatibility issues and possibility of SQL injection — at Version 2
Reported by: | Ryan J Ollos | Owned by: | Chris Nelson |
---|---|---|---|
Priority: | high | Component: | TracJsGanttPlugin |
Severity: | major | Keywords: | |
Cc: | Steffen Hoffmann | Trac Release: |
Description (last modified by )
As Steffen pointed out in the mailing list thread, the plugin doesn't follow the Trac rules for DB API usage, as described in t:TracDev/DatabaseApi#RulesforDBAPIUsage. This will result in cross-db compatibility issues and the possibility of SQL injection.
Here is an example fix (untested, as I don't understand the plugin well enough to execute this pathway or write a test):
-
tracjsganttplugin/0.11/tracjsgantt/tracpm.py
diff --git a/tracjsganttplugin/0.11/tracjsgantt/tracpm.py b/tracjsganttplugin/0. index 0f0c4ba..d5a90d7 100644
a b class TicketRescheduler(Component): 2904 2904 values.append(t['id']) 2905 2905 values.append(to_utimestamp(self.pm.start(t))) 2906 2906 values.append(to_utimestamp(self.pm.finish(t))) 2907 cursor.execute('INSERT INTO schedule' + \ 2908 ' (ticket, start, finish)' + \ 2909 ' VALUES %s' % valuesClause, 2910 values) 2911 2907 cursor.execute(""" 2908 INSERT INTO schedule (ticket, start, finish) 2909 VALUES %s""" % valuesClause, values) 2912 2910 2913 2911 # Finally, add history records to schedule_change 2914 2912 # for newly scheduled tickets.
Change History (2)
comment:1 Changed 11 years ago by
Description: | modified (diff) |
---|
comment:2 Changed 11 years ago by
Description: | modified (diff) |
---|
Note: See
TracTickets for help on using
tickets.