Ticket #8703 (new defect)

Opened 1 year ago

SQL injection vulnerability/SQL compatibility

Reported by: anonymous Assigned to: rjollos
Priority: normal Component: TracTicketStatsPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

The arguments to the SQL statements are not properly escaped. This results in a possibility of SQL injection, and also database compatibility issues.

Disclaimer - I'm not really python programmer so the attached patch may not be the optimal approach. However it does remove the % operator which is at the root of the SQL injection problem, and also removes the double quotes around the milestone value (which doesn't work with postgres 9.x).

Attachments

tracticketstatsplugin-sql-injection.patch (4.0 kB) - added by anonymous on 04/14/11 01:50:22.
Fix

Change History

04/14/11 01:50:22 changed by anonymous

  • attachment tracticketstatsplugin-sql-injection.patch added.

Fix

Add/Change #8703 (SQL injection vulnerability/SQL compatibility)




Change Properties
Action