Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#11829 closed defect (fixed)

MindMap macro has a SQL injection

Reported by: Jun Omae Owned by: Martin Scharrer
Priority: normal Component: MindMapMacro
Severity: normal Keywords:
Cc: Trac Release: 1.0


If a single quote character is used in content in MindMap macro, the following error is raised.

  File "/home/jun66j5/src/trac/trac-hacks/mindmapmacro/0.11/tracmindmap/", line 205, in expand_macro
    self._set_cache(hash, mm)
  File "/home/jun66j5/src/trac/trac-hacks/mindmapmacro/0.11/tracmindmap/", line 152, in _set_cache
    cursor.execute("INSERT INTO mindmapcache VALUES ('%s','%s')" % (hash,content) )
  File "/home/jun66j5/venv/trac/1.0.1/lib/python2.5/site-packages/trac/db/", line 66, in execute
    return self.cursor.execute(sql)
  File "/home/jun66j5/venv/trac/1.0.1/lib/python2.5/site-packages/trac/db/", line 78, in execute
    result = PyFormatCursor.execute(self, *args)
  File "/home/jun66j5/venv/trac/1.0.1/lib/python2.5/site-packages/trac/db/", line 56, in execute
    args or [])
  File "/home/jun66j5/venv/trac/1.0.1/lib/python2.5/site-packages/trac/db/", line 48, in _rollback_on_error
    return function(self, *args, **kwargs)
OperationalError: unrecognized token: ""/></node></node></map>')"
  • mindmapmacro/0.11/tracmindmap/

    146146    def _set_cache(self, hash, content):
    147147        db = self.env.get_db_cnx()
    148148        cursor = db.cursor()
    149         cursor.execute("INSERT INTO mindmapcache VALUES ('%s','%s')" % (hash,content) )
     149        cursor.execute("INSERT INTO mindmapcache VALUES (%s,%s)",
     150                       (hash, unicode(content)))
    150151        db.commit()
    152153    def _get_cache(self, hash, default=None):

Attachments (0)

Change History (4)

comment:1 Changed 4 years ago by Ryan J Ollos

I tried to get in touch with the author in #7481, but it seems like he is not longer around. It looks like this is another case where we should just go ahead and push the change if we don't hear from him within a few days.

comment:2 Changed 4 years ago by Martin Scharrer

Hi guys, sorry I'm very busy with my day job and don't read all emails I get. Feel free to push that change. I'm not sure if I find time to do it myself in the next time.

comment:3 Changed 4 years ago by Jun Omae

Resolution: fixed
Status: newclosed

In 14043:

Use the Trac DB-API to prevent SQL injection (fixed #11829)

comment:4 Changed 4 years ago by Jun Omae

Thanks for the response. I've commited the changes.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Martin Scharrer.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.