oops on $team/+reassign page when entering "%"
Bug #413287 reported by
Edwin Grubbs
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Low
|
Unassigned |
Bug Description
This is not a security vulnerability since arbitrary sql can't be injected. The '%' is just not escaped, so psycopg's variable substitution blows up.
The ValidPersonOrTe
For example:
SQL('SELECT name FROM person WHERE id = ? AND displayname = ?', (33, 'foo'))
This should also eliminate the need to use quote() and quote_like() on the parameters.
OOPS-1321S1050
Related branches
lp://qastaging/~sinzui/launchpad/vocab-storm-bug-413287
- Eleanor Berger (community): Approve
-
Diff: 95 lines (+35/-16)2 files modifiedlib/lp/registry/doc/vocabularies.txt (+23/-2)
lib/lp/registry/vocabularies.py (+12/-14)
Changed in launchpad-registry: | |
importance: | Undecided → Low |
status: | New → Triaged |
Changed in launchpad-registry: | |
milestone: | none → 3.1.11 |
Changed in launchpad-registry: | |
assignee: | nobody → Curtis Hovey (sinzui) |
status: | Triaged → In Progress |
Changed in launchpad: | |
assignee: | Curtis Hovey (sinzui) → nobody |
To post a comment you must log in.
Fixed in launchpad devel r9933.