Modify

Opened 3 years ago

Closed 4 months ago

#9065 closed defect (wontfix)

[PATCH] Improper SQL handling when updating change_time

Reported by: moreati Owned by: CuriousCurmudgeon
Priority: normal Component: BatchModifyPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

BatchModifier in source:batchmodifyplugin/0.12/trunk/batchmod/web_ui.py uses string interpolation to execute an UPDATE

Attachments (1)

9065_update_changetime.patch (704 bytes) - added by moreati 3 years ago.
Patch for using bind variables to prevent sql injection

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by moreati

Patch for using bind variables to prevent sql injection

comment:1 Changed 3 years ago by moreati

Though the SQL statement is built using string interpolation both parameters (original_changetime, ticket.id) are earlier passed through functions that should protect against arbitrary SQL (i.e. to_utimestamp(), int() respectively). AFAICT this is not an immediate security hole, but should be fixed anyway.

comment:2 Changed 4 months ago by rjollos

  • Resolution set to wontfix
  • Status changed from new to closed

The plugin is deprecated since it has been integrated to the Trac core for 1.0. Upgrade to Trac 1.0 and uninstall this plugin to get the latest functionality. Enhancement requests can be directed to Trac.

Add Comment

Modify Ticket

Action
as closed The owner will remain CuriousCurmudgeon.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.