← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1190226] Re: Potential SQL injections

 

Turning into Wishlist bug as suggested by Chuck on comment 2

** Information type changed from Private Security to Public

** No longer affects: ossa

** Changed in: swift
   Importance: Undecided => Wishlist

** Changed in: swift
       Status: Invalid => Confirmed

** Summary changed:

- Potential SQL injections
+ Raw SQL used in swift/swift/common/db.py could be escaped

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1190226

Title:
  Raw SQL used in swift/swift/common/db.py could be escaped

Status in OpenStack Compute (Nova):
  Invalid
Status in OpenStack Object Storage (Swift):
  Confirmed

Bug description:
  Grant Murphy (gmurphy@xxxxxxxxxx) conducted an audit of OpenStack and
  reported the following potential SQL injection vulnerabilities in
  Swift and Nova. These may well not be exploitable, we need to
  doublecheck them.

  swift/swift/common/db.py:376: UPDATE %s_stat SET id=?
  swift/swift/common/db.py:379: SELECT ROWID FROM %s ORDER BY ROWID DESC LIMIT 1
  swift/swift/common/db.py:403: UPDATE %s_stat SET created_at=MIN(?, created_at),
  swift/swift/common/db.py:424: SELECT * FROM %s WHERE ROWID > ? ...
  swift/swift/common/db.py:440: "SELECT sync_point FROM %s_sync WHERE remote_id=?"
  swift/swift/common/db.py:456: SELECT remote_id, sync_point FROM %s_sync
  swift/swift/common/db.py:512: INSERT INTO %s_sync (sync_point, remote_id)
  swift/swift/common/db.py:518: UPDATE %s_sync SET sync_point=max(?, sync_point)
  swift/swift/common/db.py:561: metadata = conn.execute('SELECT metadata FROM %s_stat' %
  swift/swift/common/db.py:592: md = conn.execute('SELECT metadata FROM %s_stat' %
  swift/swift/common/db.py:607: conn.execute('UPDATE %s_stat SET metadata = ?' %
  swift/swift/common/db.py:633: md = conn.execute('SELECT metadata FROM %s_stat' %
  swift/swift/common/db.py:644: conn.execute('UPDATE %s_stat SET metadata = ?' %

  nova/nova/virt/hyperv/volumeutils.py:78: "WHERE TargetName='%s'" % target_iqn)
  nova/nova/virt/hyperv/hostutils.py:66: "WHERE DeviceID='%s'"
  nova/nova/virt/hyperv/basevolumeutils.py:123: "Class WHERE TargetName='%s'"
  nova/nova/db/sqlalchemy/utils.py:64:    return "INSERT INTO %s %s" % (
  nova/nova/db/sqlalchemy/migrate_repo/versions/152_change_type_of_deleted_column.py:40:
     return "INSERT INTO %s %s" % (

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1190226/+subscriptions