Modify

Opened 6 years ago

Last modified 6 years ago

#4056 assigned defect

What's about Security?

Reported by: martin_s Owned by: JamesMills
Priority: highest Component: SqlQueryMacro
Severity: critical Keywords: security
Cc: Trac Release: 0.11

Description

There seems to be no security checks to disallow something like DROP TABLE 'wiki';,
or is the missing db.commit() a protection for writing to the DB?

Attachments (0)

Change History (1)

comment:1 in reply to: ↑ description Changed 6 years ago by JamesMills

  • Status changed from new to assigned

Replying to martin_s:

There seems to be no security checks to disallow something like DROP TABLE 'wiki';,
or is the missing db.commit() a protection for writing to the DB?

Yes. It deliberately does NOT commit.
Unless you have any other "Security Concerns"
I'm going to close this as "Invalid" tomorrow
after reviewing my plugin.

I'll be publishing a new version tomorrow.

--JamesMills

Add Comment

Modify Ticket

Action
as assigned .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.