Closed Bug 423159 Opened 16 years ago Closed 16 years ago

WARNING: Unsafe use of LIKE detected!

Categories

(Firefox :: Bookmarks & History, defect, P2)

Product:
Firefox
Component:
Bookmarks & History
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 3

People

(Reporter: MatsPalmgren_bugz, Assigned: mak)

References

Details

(Keywords: regression)

Attachments

(1 file, 1 obsolete file)

patch
1.70 KB, patch
dietrich
: review+
Details | Diff | Splinter Review 
STEPS TO REPRODUCE
1. start Firefox trunk debug build on MacOSX and leave it open for a while

ACTUAL RESULTS
After a couple of minutes a few of these warnings appear on the console:

WARNING: Unsafe use of LIKE detected!  Please ensure that you are using mozIStorageConnection::escapeStringForLIKE and that you are binding that result to the statement to prevent SQL injection attacks.: file /Users/mats/ff-dtrace/mozilla/storage/src/mozStorageStatement.cpp, line 176


Requesting blocking-firefox3 since bug 419642 was.
BTW, if this is a condition that never should occur then I suggest
we make that warning an error instead.
Flags: blocking-firefox3?
start = {
  mStart = 0x1c186d90 "SELECT name FROM sqlite_master WHERE type = 'index' AND name = 'moz_places_visitcount' AND sql LIKE '%rev_host%'", 
  mEnd = 0x1c186e00 "", 
  mPosition = 0x1c186dee " LIKE '%rev_host%'"
}

(In reply to comment #2)
> Possibly related to bug 420164?
No, don't think so
(In reply to comment #1)
> start = {
>   mStart = 0x1c186d90 "SELECT name FROM sqlite_master WHERE type = 'index' AND
> name = 'moz_places_visitcount' AND sql LIKE '%rev_host%'", 

That query was added by bug 402161.
Blocks: 402161
Keywords: regression
there's no injection possibility there, still we can workaround to avoid the warning
OS: Mac OS X → All
to clarify, it's a fixed query that is executed on idle, to cleanup bogus data from the db. being a fixed query nobody can inject anything.
Assignee: nobody → mak77
Status: NEW → ASSIGNED
Attached patch patchSplinter Review 

        Attachment #310035 -
        Flags: review?(dietrich)

    
    

    
  
Comment on attachment 310035 [details] [diff] [review]
patch

Escaping a constant does not make much sense, we should simply bind the whole string "%rev_host%".

    
    

    
  
Comment on attachment 310035 [details] [diff] [review]
patch

oh well, i thought it was looking for correct use of escapeStringForLike, but from what i see in the source it's only looking for a bind (so ?, :, @)... imho that warning does not make sense at all, i could take a user value and bind it, without even having a warning...

hwv due to that, you're right and i'm going removing that

        Attachment #310035 -
        Flags: review?(dietrich)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

        Attachment #310035 -
        Attachment is obsolete: true

        Attachment #310246 -
        Flags: review?(dietrich)

    
  
Hardware: PC → All

    
    

    
  
(In reply to comment #8)
> (From update of attachment 310035 [details] [diff] [review])
> Escaping a constant does not make much sense, we should simply bind the whole
> string "%rev_host%".

Hm, stupid me, you have underscore (as wildchar) in your constant. So the previous patch was correct. I did not realize that when looking at the diff before. So this bug is not just about removing warning, it fixes the problem, that your match was too broad. It looks like the warning is on good place ;-)



    
    

    
  
Comment on attachment 310035 [details] [diff] [review]
patch

doh! "An underscore _ in the pattern matches any single character in the string"

well should not be a problem in both cases, we should not have many indexes called visitcount on a rev(a random char)host column. So both of the attached patches are good, perf should not be a problem, is a single query on a compact table on a long idle. let dietrich choose his preferred way

        Attachment #310035 -
        Attachment is obsolete: false
Flags: blocking-firefox3? → blocking-firefox3+
Priority: -- → P2
Target Milestone: --- → Firefox 3

    
    

    
  
Comment on attachment 310246 [details] [diff] [review]
patch

I'd prefer to have the underscore properly escaped. If it's not meant to be a wildcard, don't use it as one. Others, when later modifying this code, may also overlook it, creating the potential for future danger.

(In reply to comment #9)
> oh well, i thought it was looking for correct use of escapeStringForLike, but
> from what i see in the source it's only looking for a bind (so ?, :, @)... imho
> that warning does not make sense at all, i could take a user value and bind it,
> without even having a warning...

please file a followup against storage for this. Coding around a pointless warning is a waste of time. We should instead fix the warning to reduce false positives.

        Attachment #310246 -
        Flags: review?(dietrich) → review-

    
    

    
  
(In reply to comment #13)
> (From update of attachment 310246 [details] [diff] [review])
> I'd prefer to have the underscore properly escaped. If it's not meant to be a
> wildcard, don't use it as one. Others, when later modifying this code, may also

so, the first attachment should be fine :)

    
    

    
  
(In reply to comment #15)
> additional cases of WARNING: Unsafe use of LIKE detected! :
> 

please file a separate bug for those, assign to the test author.

Whiteboard: [checkin after b5 freeze]

    
  

        Attachment #310246 -
        Attachment is obsolete: true

    
  
Keywords: checkin-needed
Whiteboard: [checkin after b5 freeze]

    
    

    
  
Checking in toolkit/components/places/src/nsNavHistory.cpp;
/cvsroot/mozilla/toolkit/components/places/src/nsNavHistory.cpp,v  <--  nsNavHistory.cpp
new revision: 1.281; previous revision: 1.280
done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
  
Keywords: checkin-needed

    
    

    
  
Bug 451915 - move Firefox/Places bugs to Firefox/Bookmarks and History. Remove all bugspam from this move by filtering for the string "places-to-b-and-h".

In Thunderbird 3.0b, you do that as follows:
Tools | Message Filters
Make sure the correct account is selected. Click "New"
Conditions: Body   contains   places-to-b-and-h
Change the action to "Delete Message".
Select "Manually Run" from the dropdown at the top.
Click OK.

Select the filter in the list, make sure "Inbox" is selected at the bottom, and click "Run Now". This should delete all the bugspam. You can then delete the filter.

Gerv
Component: Places → Bookmarks & History
QA Contact: places → bookmarks

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: