Modify

Opened 5 months ago

Closed 4 months ago

Last modified 4 months ago

#11829 closed defect (fixed)

MindMap macro has a SQL injection

Reported by: jun66j5 Owned by: martin_s
Priority: normal Component: MindMapMacro
Severity: normal Keywords:
Cc: Trac Release: 1.0

Description

If a single quote character is used in content in MindMap macro, the following error is raised.

...
  File "/home/jun66j5/src/trac/trac-hacks/mindmapmacro/0.11/tracmindmap/macro.py", line 205, in expand_macro
    self._set_cache(hash, mm)
  File "/home/jun66j5/src/trac/trac-hacks/mindmapmacro/0.11/tracmindmap/macro.py", line 152, in _set_cache
    cursor.execute("INSERT INTO mindmapcache VALUES ('%s','%s')" % (hash,content) )
  File "/home/jun66j5/venv/trac/1.0.1/lib/python2.5/site-packages/trac/db/util.py", line 66, in execute
    return self.cursor.execute(sql)
  File "/home/jun66j5/venv/trac/1.0.1/lib/python2.5/site-packages/trac/db/sqlite_backend.py", line 78, in execute
    result = PyFormatCursor.execute(self, *args)
  File "/home/jun66j5/venv/trac/1.0.1/lib/python2.5/site-packages/trac/db/sqlite_backend.py", line 56, in execute
    args or [])
  File "/home/jun66j5/venv/trac/1.0.1/lib/python2.5/site-packages/trac/db/sqlite_backend.py", line 48, in _rollback_on_error
    return function(self, *args, **kwargs)
OperationalError: unrecognized token: ""/></node></node></map>')"
  • mindmapmacro/0.11/tracmindmap/macro.py

     
    146146    def _set_cache(self, hash, content):
    147147        db = self.env.get_db_cnx()
    148148        cursor = db.cursor()
    149         cursor.execute("INSERT INTO mindmapcache VALUES ('%s','%s')" % (hash,content) )
     149        cursor.execute("INSERT INTO mindmapcache VALUES (%s,%s)",
     150                       (hash, unicode(content)))
    150151        db.commit()
    151152
    152153    def _get_cache(self, hash, default=None):

Attachments (0)

Change History (4)

comment:1 Changed 5 months ago by rjollos

I tried to get in touch with the author in #7481, but it seems like he is not longer around. It looks like this is another case where we should just go ahead and push the change if we don't hear from him within a few days.

comment:2 Changed 4 months ago by martin_s

Hi guys, sorry I'm very busy with my day job and don't read all emails I get. Feel free to push that change. I'm not sure if I find time to do it myself in the next time.

comment:3 Changed 4 months ago by jun66j5

  • Resolution set to fixed
  • Status changed from new to closed

In 14043:

Use the Trac DB-API to prevent SQL injection (fixed #11829)

comment:4 Changed 4 months ago by jun66j5

Thanks for the response. I've commited the changes.

Add Comment

Modify Ticket

Action
as closed The owner will remain martin_s.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.