Modify ↓
#504 closed defect (fixed)
Improper use of sqlite.execute allows arbitrary SQL
| Reported by: | daniel | Owned by: | daniel |
|---|---|---|---|
| Priority: | highest | Milestone: | 0.7.1 |
| Component: | general | Version: | 0.7 |
| Severity: | critical | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
execute is improperly called in a few places (including auth.py), using array substitution directly, rather than allowing sqlite to handle quoting.
Example (from auth.py):
cursor.execute ("INSERT INTO auth_cookie (cookie, name, ipnr, time)" +
"VALUES ('%s', '%s', '%s', %d)"
% (cookie, req.remote_user, req.remote_addr, int(time.time())));
Should be:
cursor.execute ("INSERT INTO auth_cookie (cookie, name, ipnr, time)" +
"VALUES ('%s', '%s', '%s', %d)",
cookie, req.remote_user, req.remote_addr, int(time.time()));
<idnar> grep'ing the code shows a few possibly similar cases
Attachments (1)
Change History (3)
comment:1 by , 20 years ago
by , 20 years ago
| Attachment: | security.patch added |
|---|
comment:2 by , 20 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Actually, the tokens shouldn't be quoted in the SQL statement; ie. it should be VALUES (%s, %s, %s, %d). I'm attaching a patch which I think fixes all of these (it hasn't been thoroughly tested, though).