mahara-contributors team mailing list archive

Thread
Date

[Bug 1846653] [NEW] Need to correctly escape some plans sql queries

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date: Thu, 03 Oct 2019 21:52:20 -0000
Reply-to: Bug 1846653 <1846653@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Some of the SQL queries in artefact/plans/tools/ directory rely on
sprintf substitution. This is bad as it breaks for things like values
with single quote as part of the string.

We should do these SQL queries with the normal placeholder substitution
to avoid this breakage and potential security hole.

** Affects: mahara
     Importance: High
     Assignee: Robert Lyon (robertl-9)
         Status: In Progress

** Changed in: mahara
     Assignee: (unassigned) => Robert Lyon (robertl-9)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1846653

Title:
  Need to correctly escape some plans sql queries

Status in Mahara:
  In Progress

Bug description:
  Some of the SQL queries in artefact/plans/tools/ directory rely on
  sprintf substitution. This is bad as it breaks for things like values
  with single quote as part of the string.

  We should do these SQL queries with the normal placeholder
  substitution to avoid this breakage and potential security hole.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1846653/+subscriptions

Follow ups

[Bug 1846653] Re: Need to correctly escape some plans sql queries
From: Cecilia Vela Gurovic, 2019-10-31
[Bug 1846653] A change has been merged
From: Mahara Bot, 2019-10-03
[Bug 1846653] Re: Need to correctly escape some plans sql queries
From: Robert Lyon, 2019-10-03
[Bug 1846653] A patch has been submitted for review
From: Mahara Bot, 2019-10-03