Context Navigation

Modify ↓

#1418 closed defect (duplicate)

Dynamic variables in reports should be escaped

Reported by:	nil4	Owned by:	daniel
Priority:	normal	Milestone:
Component:	report system	Version:	devel
Severity:	critical	Keywords:
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description

The code in Report.py — sql_sub_vars only does a simple string substitution on the dynamic variables, with no escaping of dangerous characters (including backslash). I see two problems with this approach:

It opens the door for SQL injection attacks on the sqlite database of trac repositories.
It makes it impossible to write reports that use the $USER variable when users are authenticated in a domain, since the backslash is interpreted as a string escape modifier.

For example, the following code fails with an error, when the logged user is domain\username:

SELECT * FROM ticket WHERE owner = '$USER'

Attachments (0)

Change History (2)

comment:1 by nil4, 19 years ago

Summary:	Dinamic variables in reports should be escaped → Dynamic variables in reports should be escaped

Actually, I just saw the values of dynamic variables are restricted by regexes, so I guess they're safe from SQL injection attacks.

Still, there's no way I can use to create reports for users authenticated in a Windows domain.

comment:2 by Matthew Good, 18 years ago

Resolution:	→ duplicate
Status:	new → closed

This was addressed in #2536

Modify Ticket

Change Properties

Summary:
Description:	The code in Report.py -- {{{sql_sub_vars}}} only does a simple string substitution on the dynamic variables, with no escaping of dangerous characters (including backslash). I see two problems with this approach: * It opens the door for SQL injection attacks on the sqlite database of trac repositories. * It makes it impossible to write reports that use the $USER variable when users are authenticated in a domain, since the backslash is interpreted as a string escape modifier. For example, the following code fails with an error, when the logged user is {{{domain\username}}}: {{{ #!sql SELECT * FROM ticket WHERE owner = '$USER' }}} You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain daniel.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from daniel to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: