Closed Bug 214290 Opened 16 years ago Closed 16 years ago

collectstats.pl does not add \'s to SQL queries for quotes

Categories

(Bugzilla :: Reporting/Charting, defect, major)

2.16.3
x86
Other
defect
Not set
major

Tracking

()

RESOLVED FIXED
Bugzilla 2.16

People

(Reporter: eross_a, Assigned: justdave)

Details

(Whiteboard: [fixed in 2.16.4] [does not affect trunk])

Attachments

(1 file)

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.11  [en]
Build Identifier: N/A

Collectstats.pl does not parse out quotes (i.e. ') in SQL queries and add a \ to 
them. This is a security risk via SQL injection.

Reproducible: Always

Steps to Reproduce:
1. Add a bug with a title that contains a '
2. Setup collectstats.pl to run nightly
3. Wait for the fun

Actual Results:  
DBD::mysql::st execute failed: You have an error in your SQL syntax.  Check the 
manual that corresponds to your MySQL server version for the right syntax to use 
near 's Coolness'' at line 1 at globals.pl line 271.
[Wed Jul 23 00:05:02 2003] collectstats.pl: DBD::mysql::st execute failed: You 
have an error in your SQL syntax.  Check the manual that corresponds to your 
MySQL server version for the right syntax to use near 's Coolness'' at line 1 at 
globals.pl line 271.
[Wed Jul 23 00:05:02 2003] collectstats.pl: select count(bug_status) from bugs 
where bug_status='NEW' and product='Scott's Coolness': You have an error in your 
SQL syntax.  Check the manual that corresponds to your MySQL server version for 
the right syntax to use near 's Coolness'' at line 1 at globals.pl line 276.
./collectstats.pl: data/mining/-All-, Permission deniedContent-type: text/html

<H1>Software error:</H1>
<PRE>select count(bug_status) from bugs where bug_status='NEW' and 
product='Scott's Coolness': You have an error in your SQL syntax.  Check the 
manual that corresponds to your MySQL server version for the right syntax to use 
near 's Coolness'' at line 1 at globals.pl line 276.
</PRE>
<P>
For help, please send mail to this site's webmaster, giving this error message 
and the time and date of the error.




Expected Results:  
Worked, damnit.
Andrew:

- You mean "product with an apostrophe", not "bug with a title containing an
apostrophe", don't you?

- Which version of Bugzilla are you running? I can't immediately reproduce this
on the tip (2.17.4+).

This is only a security risk if you don't trust the people you've given Bugzilla
administrator privileges (well, editproduct privileges) to.

Dave: I'm off on holiday in a couple of hours for three weeks. Can you look into
this, or delegate to someone?

Gerv
According to Bonsai, a fix for this was inadvertantly checked into CVS as part
of the patch to change product references from using names to using IDs on
08/11/2002 22:42, which would have made this fixed in version 2.17.1.

However, I can reproduce it on 2.16.3

dave@landfill [8:15 bugzilla-2.16 3] tcsh# ./collectstats.pl 
DBD::mysql::st execute failed: You have an error in your SQL syntax near 's test
product'' at line 1 at globals.pl line 271.
[Tue Jul 29 08:15:51 2003] collectstats.pl: DBD::mysql::st execute failed: You
have an error in your SQL syntax near 's test product'' at line 1 at globals.pl
line 271.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [wanted for 2.16.4] [does not affect trunk]
Would you agree that it's not a major security problem, as someone needs
editproducts to exploit it?

Gerv
ordinarily, yes, but since we already have other security issues pending for
2.16.4 anyway, there's no reason not to fix this at the same time.
Target Milestone: --- → Bugzilla 2.16
Attachment #130322 - Flags: review?(myk)
Version: unspecified → 2.16.3
Attachment #130322 - Flags: review?(bbaetz)
Comment on attachment 130322 [details] [diff] [review]
Patch against 2.16 branch

r=gerv.

Gerv
Attachment #130322 - Flags: review?(myk) → review+
Attachment #130322 - Flags: review?(bbaetz)
Whiteboard: [wanted for 2.16.4] [does not affect trunk] → [ready for 2.16.4] [does not affect trunk]
-> patch author
Assignee: gerv → justdave
Flags: approval+
Checking in collectstats.pl;
/cvsroot/mozilla/webtools/bugzilla/collectstats.pl,v  <--  collectstats.pl
new revision: 1.20.12.2; previous revision: 1.20.12.1
done
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [ready for 2.16.4] [does not affect trunk] → [fixed in 2.16.4] [does not affect trunk]
security advisory has been posted.
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.