Modify

Opened 6 years ago

Closed 3 years ago

#9065 closed defect (wontfix)

[PATCH] Improper SQL handling when updating change_time

Reported by: Alex Willmer Owned by: CuriousCurmudgeon
Priority: normal Component: BatchModifyPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

BatchModifier in source:batchmodifyplugin/0.12/trunk/batchmod/web_ui.py uses string interpolation to execute an UPDATE

Attachments (1)

9065_update_changetime.patch (704 bytes) - added by Alex Willmer 6 years ago.
Patch for using bind variables to prevent sql injection

Download all attachments as: .zip

Change History (3)

Changed 6 years ago by Alex Willmer

Patch for using bind variables to prevent sql injection

comment:1 Changed 6 years ago by Alex Willmer

Though the SQL statement is built using string interpolation both parameters (original_changetime, ticket.id) are earlier passed through functions that should protect against arbitrary SQL (i.e. to_utimestamp(), int() respectively). AFAICT this is not an immediate security hole, but should be fixed anyway.

comment:2 Changed 3 years ago by Ryan J Ollos

Resolution: wontfix
Status: newclosed

The plugin is deprecated since it has been integrated to the Trac core for 1.0. Upgrade to Trac 1.0 and uninstall this plugin to get the latest functionality. Enhancement requests can be directed to Trac.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain CuriousCurmudgeon.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.