slub.team team mailing list archive

Thread
Date

[Bug 938517] Re: SQL injection on login form

To: slub.team@xxxxxxxxxxxxxxxxxxx
From: Ralf Claussnitzer <938517@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Feb 2012 13:59:01 -0000
Reply-to: Bug 938517 <938517@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Branch linked: lp:~ralf-claussnitzer/goobi-production/bug-938517

** Changed in: goobi-production
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Saxon
State Library Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/938517

Title:
  SQL injection on login form

Status in Goobi.Production:
  Fix Committed
Status in Goobi.Production 1.7 series:
  Fix Committed

Bug description:
  In file src/de/sub/goobi/forms/LoginForm.java method Einloggen() Line
  104 is a possible SQL injection source. A login value (login name) is
  directly submitted into database without proper escaping. Described
  like in http://blog.harpoontech.com/2008/10/how-to-avoid-sql-
  injection-in-hibernate.html. There are some guidelines to prevent SQL
  injections into hibernate like https://www.owasp.org/index.php
  /Hibernate-Guidelines

To manage notifications about this bug go to:
https://bugs.launchpad.net/goobi-production/+bug/938517/+subscriptions

References

[Bug 938517] [NEW] SQL injection on login form
From: Henning Gerhardt, 2012-02-22