Context Navigation

Modify ↓

#9065 closed defect (wontfix)

[PATCH] Improper SQL handling when updating change_time

Reported by:	Alex Willmer	Owned by:	CuriousCurmudgeon
Priority:	normal	Component:	BatchModifyPlugin
Severity:	normal	Keywords:
Cc:		Trac Release:	0.11

Description

BatchModifier in source:batchmodifyplugin/0.12/trunk/batchmod/web_ui.py uses string interpolation to execute an UPDATE

Attachments (1)

9065_update_changetime.patch (704 bytes) - added by Alex Willmer 13 years ago.: Patch for using bind variables to prevent sql injection

Download all attachments as: .zip

Change History (3)

Changed 13 years ago by Alex Willmer

Attachment:	9065_update_changetime.patch added

Patch for using bind variables to prevent sql injection

comment:1 Changed 13 years ago by Alex Willmer

Though the SQL statement is built using string interpolation both parameters (original_changetime, ticket.id) are earlier passed through functions that should protect against arbitrary SQL (i.e. to_utimestamp(), int() respectively). AFAICT this is not an immediate security hole, but should be fixed anyway.

comment:2 Changed 10 years ago by Ryan J Ollos

Resolution:	→ wontfix
Status:	new → closed

The plugin is deprecated since it has been integrated to the Trac core for 1.0. Upgrade to Trac 1.0 and uninstall this plugin to get the latest functionality. Enhancement requests can be directed to Trac.

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain CuriousCurmudgeon.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: