You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2013/09/19 14:36:51 UTC
[jira] [Resolved] (SYNCOPE-416) AttributableSearchDAOImpl / Avoid
query construction with string concatenation
[ https://issues.apache.org/jira/browse/SYNCOPE-416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francesco Chicchiriccò resolved SYNCOPE-416.
--------------------------------------------
Resolution: Fixed
1_1_X: http://svn.apache.org/r1524713
trunk: http://svn.apache.org/r1524714
> AttributableSearchDAOImpl / Avoid query construction with string concatenation
> ------------------------------------------------------------------------------
>
> Key: SYNCOPE-416
> URL: https://issues.apache.org/jira/browse/SYNCOPE-416
> Project: Syncope
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.1.3, 1.2.0
> Reporter: Guido Wimmel
> Assignee: Francesco Chicchiriccò
> Priority: Minor
> Fix For: 1.1.4, 1.2.0
>
>
> Is there any reason why in org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419
> the like condition is appended by string concatenation?
> query.append(" LIKE '").append(cond.getExpression()).append("'");
> IMO this could open up a possible SQL injection vulnerability.
> In AttributableSearchDAOImpl:387 a query parameter is used, as I would have expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira