Closed
Bug 701920
Opened 14 years ago
Closed 13 years ago
use prepared statements in dxr to avoid sql injection
Categories
(Webtools Graveyard :: DXR, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: taras.mozilla, Assigned: carlos)
Details
Attachments
(1 file, 1 obsolete file)
|
4.00 KB,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
|
||
Comment 1•14 years ago
|
||
I propose using placeholders and abandon the custom quoting. Also since I noticed it, I removed fetch_all here and a handful more places so that rows are iterated over and not kept in memory completely.
Attachment #574579 -
Flags: review?(Pidgeot18)
|
|
||
Comment 2•14 years ago
|
||
Why not use the DB-API’s parameter substitution (http://docs.python.org/library/sqlite3.html#sqlite3.Cursor.execute)? Or am I missing something here?
|
|
||
Comment 3•14 years ago
|
||
Ah, Christian's patch is doing that. I was confused by the name placeholders. Sorry for the noise!
|
|
||
Comment 4•14 years ago
|
||
I discovered that I left out the % from the LIKE, the updated patch corrects that.
Attachment #574579 -
Attachment is obsolete: true
Attachment #574579 -
Flags: review?(Pidgeot18)
Attachment #575201 -
Flags: review?(Pidgeot18)
|
|
||
Updated•14 years ago
|
Assignee: nobody → christian.dywan
|
|
||
Updated•14 years ago
|
Attachment #575201 -
Flags: review?(Pidgeot18) → review?(ehsan)
|
|
||
Updated•14 years ago
|
Status: NEW → ASSIGNED
|
||
Comment 5•14 years ago
|
||
How does removing the fetchall calls help with SQL injection attacks?
|
|
||
Comment 6•14 years ago
|
||
Comment on attachment 575201 [details] [diff] [review]
use prepared statements in dxr to avoid sql injection #2
Clearing the request waiting on the response to my comment...
Attachment #575201 -
Flags: review?(ehsan)
|
|
||
Comment 7•14 years ago
|
||
(In reply to Ehsan Akhgari [:ehsan] from comment #5)
> How does removing the fetchall calls help with SQL injection attacks?
It doesn't. I just wasn't keen on a tiny second patch with that huge number of unreviewed patches waiting to conflict. Feel free to split it or whatever.
|
|
||
Updated•14 years ago
|
Attachment #575201 -
Flags: review?(ehsan)
|
|
||
Comment 8•14 years ago
|
||
Comment on attachment 575201 [details] [diff] [review]
use prepared statements in dxr to avoid sql injection #2
Nah, not worth splitting...
Attachment #575201 -
Flags: review?(ehsan) → review+
|
|
||
Comment 9•13 years ago
|
||
That one is mostly fixed
Assignee: christian → carlos
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•