[jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-2099) Support protection against SQL injection in Query order parameter
[ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=all ]
Norman Richards closed JBSEAM-2099.
-----------------------------------
Resolution: Done
Thanks for catching this. After examining the issue, I implemented something very similar
to Felix's suggestion to filter out sql injection hacks without imposing any other
constraints on the parameter.
The use of the order attribute as a direct request parameter is inherently flawed. We
should change seam-gen, and perhaps the Query class itself, to support a better nothing of
sortable columns than passing text strings that get appended to the query. What we are
doing now is bad, and we should NOT be encouraging people to do it like that.
Support protection against SQL injection in Query order parameter
-----------------------------------------------------------------
Key: JBSEAM-2099
URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
Project: JBoss Seam
Issue Type: Patch
Components: Framework
Affects Versions: 2.0.0.CR2
Reporter: Diego Ballve
Assigned To: Norman Richards
Priority: Critical
Fix For: 2.0.0.GA
Attachments: Query.diff
From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira