[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2931) CLONE -Support protection against SQL injection in Query order parameter
[ http://jira.jboss.com/jira/browse/JBSEAM-2931?page=comments#action_12410942 ]
Felix Ho?feld commented on JBSEAM-2931:
---------------------------------------
Fair enough but I think that restriction should be mentioned into the docs because
function based sorting is quite common.
And it would also be nice if the error message would be more informative, e.g.
"Invalid order clause \" + order +"\". Your order clause must not
contain any special charcters."
CLONE -Support protection against SQL injection in Query order
parameter
------------------------------------------------------------------------
Key: JBSEAM-2931
URL: http://jira.jboss.com/jira/browse/JBSEAM-2931
Project: Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.1.GA
Reporter: Felix Ho?feld
Assigned To: Norman Richards
Fix For: 2.0.2.CR1
From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira