Closed
Bug 214290
Opened 22 years ago
Closed 21 years ago
collectstats.pl does not add \'s to SQL queries for quotes
Categories
(Bugzilla :: Reporting/Charting, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: eross_a, Assigned: justdave)
Details
(Whiteboard: [fixed in 2.16.4] [does not affect trunk])
Attachments
(1 file)
1.25 KB,
patch
|
gerv
:
review+
bbaetz
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.11 [en]
Build Identifier: N/A
Collectstats.pl does not parse out quotes (i.e. ') in SQL queries and add a \ to
them. This is a security risk via SQL injection.
Reproducible: Always
Steps to Reproduce:
1. Add a bug with a title that contains a '
2. Setup collectstats.pl to run nightly
3. Wait for the fun
Actual Results:
DBD::mysql::st execute failed: You have an error in your SQL syntax. Check the
manual that corresponds to your MySQL server version for the right syntax to use
near 's Coolness'' at line 1 at globals.pl line 271.
[Wed Jul 23 00:05:02 2003] collectstats.pl: DBD::mysql::st execute failed: You
have an error in your SQL syntax. Check the manual that corresponds to your
MySQL server version for the right syntax to use near 's Coolness'' at line 1 at
globals.pl line 271.
[Wed Jul 23 00:05:02 2003] collectstats.pl: select count(bug_status) from bugs
where bug_status='NEW' and product='Scott's Coolness': You have an error in your
SQL syntax. Check the manual that corresponds to your MySQL server version for
the right syntax to use near 's Coolness'' at line 1 at globals.pl line 276.
./collectstats.pl: data/mining/-All-, Permission deniedContent-type: text/html
<H1>Software error:</H1>
<PRE>select count(bug_status) from bugs where bug_status='NEW' and
product='Scott's Coolness': You have an error in your SQL syntax. Check the
manual that corresponds to your MySQL server version for the right syntax to use
near 's Coolness'' at line 1 at globals.pl line 276.
</PRE>
<P>
For help, please send mail to this site's webmaster, giving this error message
and the time and date of the error.
Expected Results:
Worked, damnit.
Comment 1•22 years ago
|
||
Andrew:
- You mean "product with an apostrophe", not "bug with a title containing an
apostrophe", don't you?
- Which version of Bugzilla are you running? I can't immediately reproduce this
on the tip (2.17.4+).
This is only a security risk if you don't trust the people you've given Bugzilla
administrator privileges (well, editproduct privileges) to.
Dave: I'm off on holiday in a couple of hours for three weeks. Can you look into
this, or delegate to someone?
Gerv
Assignee | ||
Comment 2•22 years ago
|
||
According to Bonsai, a fix for this was inadvertantly checked into CVS as part
of the patch to change product references from using names to using IDs on
08/11/2002 22:42, which would have made this fixed in version 2.17.1.
However, I can reproduce it on 2.16.3
dave@landfill [8:15 bugzilla-2.16 3] tcsh# ./collectstats.pl
DBD::mysql::st execute failed: You have an error in your SQL syntax near 's test
product'' at line 1 at globals.pl line 271.
[Tue Jul 29 08:15:51 2003] collectstats.pl: DBD::mysql::st execute failed: You
have an error in your SQL syntax near 's test product'' at line 1 at globals.pl
line 271.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [wanted for 2.16.4] [does not affect trunk]
Comment 3•22 years ago
|
||
Would you agree that it's not a major security problem, as someone needs
editproducts to exploit it?
Gerv
Assignee | ||
Comment 4•22 years ago
|
||
ordinarily, yes, but since we already have other security issues pending for
2.16.4 anyway, there's no reason not to fix this at the same time.
Assignee | ||
Updated•21 years ago
|
Target Milestone: --- → Bugzilla 2.16
Assignee | ||
Comment 5•21 years ago
|
||
Assignee | ||
Updated•21 years ago
|
Attachment #130322 -
Flags: review?(myk)
Updated•21 years ago
|
Version: unspecified → 2.16.3
Assignee | ||
Updated•21 years ago
|
Attachment #130322 -
Flags: review?(bbaetz)
Comment 6•21 years ago
|
||
Comment on attachment 130322 [details] [diff] [review]
Patch against 2.16 branch
r=gerv.
Gerv
Attachment #130322 -
Flags: review?(myk) → review+
Updated•21 years ago
|
Attachment #130322 -
Flags: review?(bbaetz)
Assignee | ||
Updated•21 years ago
|
Whiteboard: [wanted for 2.16.4] [does not affect trunk] → [ready for 2.16.4] [does not affect trunk]
Assignee | ||
Comment 8•21 years ago
|
||
Checking in collectstats.pl;
/cvsroot/mozilla/webtools/bugzilla/collectstats.pl,v <-- collectstats.pl
new revision: 1.20.12.2; previous revision: 1.20.12.1
done
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: [ready for 2.16.4] [does not affect trunk] → [fixed in 2.16.4] [does not affect trunk]
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•