Modify

Opened 3 years ago

Last modified 3 years ago

#9065 new defect

[PATCH] Improper SQL handling when updating change_time

Reported by: moreati Owned by: CuriousCurmudgeon
Priority: normal Component: BatchModifyPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

BatchModifier in source:batchmodifyplugin/0.12/trunk/batchmod/web_ui.py uses string interpolation to execute an UPDATE

Attachments (1)

9065_update_changetime.patch (704 bytes) - added by moreati 3 years ago.
Patch for using bind variables to prevent sql injection

Download all attachments as: .zip

Change History (2)

Changed 3 years ago by moreati

Patch for using bind variables to prevent sql injection

comment:1 Changed 3 years ago by moreati

Though the SQL statement is built using string interpolation both parameters (original_changetime, ticket.id) are earlier passed through functions that should protect against arbitrary SQL (i.e. to_utimestamp(), int() respectively). AFAICT this is not an immediate security hole, but should be fixed anyway.

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.