214290 - collectstats.pl does not add \'s to SQL queries for quotes

Status: RESOLVED FIXED

(Bugzilla :: Reporting/Charting, defect)

Description

[Andrew Eross]

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.11  [en]
Build Identifier: N/A

Collectstats.pl does not parse out quotes (i.e. ') in SQL queries and add a \ to 
them. This is a security risk via SQL injection.

Reproducible: Always

Steps to Reproduce:
1. Add a bug with a title that contains a '
2. Setup collectstats.pl to run nightly
3. Wait for the fun

Actual Results:  
DBD::mysql::st execute failed: You have an error in your SQL syntax.  Check the 
manual that corresponds to your MySQL server version for the right syntax to use 
near 's Coolness'' at line 1 at globals.pl line 271.
[Wed Jul 23 00:05:02 2003] collectstats.pl: DBD::mysql::st execute failed: You 
have an error in your SQL syntax.  Check the manual that corresponds to your 
MySQL server version for the right syntax to use near 's Coolness'' at line 1 at 
globals.pl line 271.
[Wed Jul 23 00:05:02 2003] collectstats.pl: select count(bug_status) from bugs 
where bug_status='NEW' and product='Scott's Coolness': You have an error in your 
SQL syntax.  Check the manual that corresponds to your MySQL server version for 
the right syntax to use near 's Coolness'' at line 1 at globals.pl line 276.
./collectstats.pl: data/mining/-All-, Permission deniedContent-type: text/html

<H1>Software error:</H1>
<PRE>select count(bug_status) from bugs where bug_status='NEW' and 
product='Scott's Coolness': You have an error in your SQL syntax.  Check the 
manual that corresponds to your MySQL server version for the right syntax to use 
near 's Coolness'' at line 1 at globals.pl line 276.
</PRE>
<P>
For help, please send mail to this site's webmaster, giving this error message 
and the time and date of the error.




Expected Results:  
Worked, damnit.

Comment 1

[Gervase Markham [:gerv]]

Andrew:

- You mean "product with an apostrophe", not "bug with a title containing an
apostrophe", don't you?

- Which version of Bugzilla are you running? I can't immediately reproduce this
on the tip (2.17.4+).

This is only a security risk if you don't trust the people you've given Bugzilla
administrator privileges (well, editproduct privileges) to.

Dave: I'm off on holiday in a couple of hours for three weeks. Can you look into
this, or delegate to someone?

Gerv

Comment 2

[Dave Miller [:justdave]]

According to Bonsai, a fix for this was inadvertantly checked into CVS as part
of the patch to change product references from using names to using IDs on
08/11/2002 22:42, which would have made this fixed in version 2.17.1.

However, I can reproduce it on 2.16.3

dave@landfill [8:15 bugzilla-2.16 3] tcsh# ./collectstats.pl 
DBD::mysql::st execute failed: You have an error in your SQL syntax near 's test
product'' at line 1 at globals.pl line 271.
[Tue Jul 29 08:15:51 2003] collectstats.pl: DBD::mysql::st execute failed: You
have an error in your SQL syntax near 's test product'' at line 1 at globals.pl
line 271.

Comment 3

[Gervase Markham [:gerv]]

Would you agree that it's not a major security problem, as someone needs
editproducts to exploit it?

Gerv

Comment 4

[Dave Miller [:justdave]]

ordinarily, yes, but since we already have other security issues pending for
2.16.4 anyway, there's no reason not to fix this at the same time.

Comment 5

[Dave Miller [:justdave]]

Attachment: Patch against 2.16 branch

Comment 6

[Gervase Markham [:gerv]]

Comment on attachment 130322 [details] [diff] [review]
Patch against 2.16 branch

r=gerv.

Gerv

Comment 7

[Dave Miller [:justdave]]

-> patch author

Comment 8

[Dave Miller [:justdave]]

Checking in collectstats.pl;
/cvsroot/mozilla/webtools/bugzilla/collectstats.pl,v  <--  collectstats.pl
new revision: 1.20.12.2; previous revision: 1.20.12.1
done

Comment 9

[Dave Miller [:justdave]]

security advisory has been posted.