[
http://jira.jboss.com/jira/browse/JBSEAM-2931?page=all ]
Pete Muir updated JBSEAM-2931:
------------------------------
Summary: Document that the orderBy property of an EntityQuery is limited by a
regex (was: CLONE -Support protection against SQL injection in Query order parameter)
Issue Type: Task (was: Patch)
Fix Version/s: 2.0.2.CR2
2.1.0.BETA1
Description:
We have an existing application running Seam 1.2. Today I tried upgrading to Seam
2.0.1.GA. In the process I discovered that the fix for JBSEAM-2099 breaks the application
because the application uses lots of query objects with an order clause that sorts on the
result of an function, namely UPPER(): order="UPPER(p.lastname)".
This used to work under 1.2. So this is a regression that probably does affect a lot of
real world applications. I have suggested the original fix and have to say it is not done
probably. Even my latest version is not the proper way to fix this as it will not allow
functions with multiple arguments, nor concatenations of properties, nor computing the
order by-value... To fix this properly it definitly takes an EJBQL-Expert greater than me
:-) I'm not even sure if there is an SQL-Injection threat here.
I don't mind implementing an insufficient fix for my special problem myself by
extending the Query object and binding that to a custom namespace but I would appreciate
if
a.) the regression would be properly documented, and
b.) the error message would tell the user what happened and what is necessary to fix it.
was:
The 'order' parameter gets directly concatenaded to the query.. that would allow
anything to get injected in the query, possibly resulting in a security threat. This patch
gives the developer extending framework Query the chance to limit the acceptable order
properties.
Assignee: (was: Norman Richards)
Priority: Minor (was: Major)
Document that the orderBy property of an EntityQuery is limited by a
regex
--------------------------------------------------------------------------
Key: JBSEAM-2931
URL:
http://jira.jboss.com/jira/browse/JBSEAM-2931
Project: Seam
Issue Type: Task
Components: Framework
Affects Versions: 2.0.1.GA
Reporter: Felix Ho?feld
Priority: Minor
Fix For: 2.0.2.CR2, 2.1.0.BETA1
We have an existing application running Seam 1.2. Today I tried upgrading to Seam
2.0.1.GA. In the process I discovered that the fix for JBSEAM-2099 breaks the application
because the application uses lots of query objects with an order clause that sorts on the
result of an function, namely UPPER(): order="UPPER(p.lastname)".
This used to work under 1.2. So this is a regression that probably does affect a lot of
real world applications. I have suggested the original fix and have to say it is not done
probably. Even my latest version is not the proper way to fix this as it will not allow
functions with multiple arguments, nor concatenations of properties, nor computing the
order by-value... To fix this properly it definitly takes an EJBQL-Expert greater than me
:-) I'm not even sure if there is an SQL-Injection threat here.
I don't mind implementing an insufficient fix for my special problem myself by
extending the Query object and binding that to a custom namespace but I would appreciate
if
a.) the regression would be properly documented, and
b.) the error message would tell the user what happened and what is necessary to fix it.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira