Opened 13 years ago

Closed 10 years ago

#9065 closed defect (wontfix)

[PATCH] Improper SQL handling when updating change_time

Reported by: Alex Willmer Owned by: CuriousCurmudgeon
Priority: normal Component: BatchModifyPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11


BatchModifier in source:batchmodifyplugin/0.12/trunk/batchmod/ uses string interpolation to execute an UPDATE

Attachments (1)

9065_update_changetime.patch (704 bytes) - added by Alex Willmer 13 years ago.
Patch for using bind variables to prevent sql injection

Download all attachments as: .zip

Change History (3)

Changed 13 years ago by Alex Willmer

Patch for using bind variables to prevent sql injection

comment:1 Changed 13 years ago by Alex Willmer

Though the SQL statement is built using string interpolation both parameters (original_changetime, are earlier passed through functions that should protect against arbitrary SQL (i.e. to_utimestamp(), int() respectively). AFAICT this is not an immediate security hole, but should be fixed anyway.

comment:2 Changed 10 years ago by Ryan J Ollos

Resolution: wontfix
Status: newclosed

The plugin is deprecated since it has been integrated to the Trac core for 1.0. Upgrade to Trac 1.0 and uninstall this plugin to get the latest functionality. Enhancement requests can be directed to Trac.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain CuriousCurmudgeon.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.