View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0013491CDash(No Category)public2012-08-27 03:052012-08-27 04:11
ReporterVincent Hobeïka 
Assigned ToJulien Jomier 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
Platformamd64OSdebian GNU/LinuxOS Versionsqueeze
Product Version2.0 
Target VersionFixed in Version2.2 
Summary0013491: CDash banner does not escape strings, potential SQL injection
DescriptionCDash 2.0.2

We can't set up a banner on a project with a string containing a simple quote:

"It's freeze time buddies!"

results in :

(Banner:SetText): SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's freeze time buddies!')' at line 2

Same while updating an already set up banner:

(Banner:SetText): SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's freeze time buddies!' WHERE projectid='10'' at line 1

It seems there is a risk of SQL injection attack.

A curly simple quote won't produce the error : ’

Best regards,
Steps To ReproduceWrite a banner containing a simple quote : '
Additional InformationCDash 2.0.2
GNU/Linux debian squeeze
TagsNo tags attached.
Attached Files

 Relationships

  Notes
(0030771)
Julien Jomier (manager)
2012-08-27 04:11

Thanks for the report. This is fixed in the current SVN trunk as well as the 2.1 branch.

 Issue History
Date Modified Username Field Change
2012-08-27 03:05 Vincent Hobeïka New Issue
2012-08-27 03:42 Julien Jomier Assigned To => Julien Jomier
2012-08-27 03:42 Julien Jomier Status new => assigned
2012-08-27 04:11 Julien Jomier Note Added: 0030771
2012-08-27 04:11 Julien Jomier Status assigned => resolved
2012-08-27 04:11 Julien Jomier Fixed in Version => 2.2
2012-08-27 04:11 Julien Jomier Resolution open => fixed


Copyright © 2000 - 2018 MantisBT Team