Invalid SQL statement for nsOfflineCacheDevice::EvictEntries with used clientID

RESOLVED FIXED

Status

()

Core
Networking: Cache
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: Ondrej Brablc, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 years ago
During audit of all SQL statements (bug 405920) it has been found that module nsDiskCacheDeviceSQL.cpp contains on line 1257 code, that would lead to invalid SQL statement.

The problem is invalid conversion specification %q in the following formatting string:

      PR_smprintf("DELETE FROM moz_cache WHERE ClientID=%q AND Flags=0;",
                  clientID);

PR_smprintf calls dosprintf, where it can be seen that invalid conversion specification is ignored and is copied to the output string. The source of this bug could be related to the sqlite extension from sqlite3_mprintf function where %q converts string be escaping single quotes. However, even in this case the code would be wrong, because %q needs to be enclosed in single quotes.

The code should be fixed by binding the string parameter. Unit test should be enhanced to cover this scenario.

There is no security risk, just the code does not work.
This is no more valid bug. The code has changed to bind the parameter because ClientID is built from manifest URL (from a public source).
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.