Edgewall Software
Modify

Opened 15 years ago

Closed 15 years ago

Last modified 13 years ago

#504 closed defect (fixed)

Improper use of sqlite.execute allows arbitrary SQL

Reported by: daniel Owned by: daniel
Priority: highest Milestone: 0.7.1
Component: general Version: 0.7
Severity: critical Keywords:
Cc: Branch:
Release Notes:
API Changes:

Description

execute is improperly called in a few places (including auth.py), using array substitution directly, rather than allowing sqlite to handle quoting.

Example (from auth.py):

cursor.execute ("INSERT INTO auth_cookie (cookie, name, ipnr, time)" +
                "VALUES ('%s', '%s', '%s', %d)"
                % (cookie, req.remote_user, req.remote_addr, int(time.time())));

Should be:

cursor.execute ("INSERT INTO auth_cookie (cookie, name, ipnr, time)" +
                "VALUES ('%s', '%s', '%s', %d)",
                cookie, req.remote_user, req.remote_addr, int(time.time()));

<idnar> grep'ing the code shows a few possibly similar cases

Attachments (1)

security.patch (3.5 KB ) - added by idnar 15 years ago.

Download all attachments as: .zip

Change History (3)

comment:1 by idnar, 15 years ago

Actually, the tokens shouldn't be quoted in the SQL statement; ie. it should be VALUES (%s, %s, %s, %d). I'm attaching a patch which I think fixes all of these (it hasn't been thoroughly tested, though).

by idnar, 15 years ago

Attachment: security.patch added

comment:2 by daniel, 15 years ago

Resolution: fixed
Status: newclosed

Fixed in [712]. merged to stable in [713].

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain daniel.
The resolution will be deleted. Next status will be 'reopened'.
to as closed The owner will be changed from daniel to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.