unquoted sql string is executed when setting savepoint
Bug #1098377 reported by
Nathanael Schilling
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Critical
|
Unassigned | ||
2.1 |
Fix Released
|
Critical
|
Unassigned | ||
2.2 |
Fix Released
|
Critical
|
Unassigned | ||
2.3 |
Fix Released
|
Critical
|
Unassigned |
Bug Description
The function setSavepoint in oils_sql.c executes dbi_conn_
According to http://
printf style formatting, and the libdbi source code does not suggest to me anywhere that it also quotes anything
Given that spName is provided verbatim by any user with a userId, this means that setting a savepoint like
foo"; arbitary_sql_code; end transaction; begin transaction; savepoint bar
will execute arbitary_sql_code.
There may or may not be other similar places where something like this takes place in the same source file.
Changed in evergreen: | |
assignee: | nobody → Bill Erickson (erickson-esilibrary) |
status: | Confirmed → In Progress |
Changed in evergreen: | |
status: | In Progress → Fix Committed |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Of course, the alternative possibility is that I misread the definition of dbi_conn_queryf and that it quotes things.