[jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-2099) Support protection against SQL injection in Query order parameter

[Norman Richards (JIRA)]

     [ http://jira.jboss.com/jira/browse/JBSEAM-2099?page=all ]

Norman Richards closed JBSEAM-2099.
-----------------------------------

    Resolution: Done

Thanks for catching this.  After examining the issue, I implemented something very similar to Felix's suggestion to filter out sql injection hacks without imposing any other constraints on the parameter.

The use of the order attribute as a direct request parameter is inherently flawed.  We should change seam-gen, and perhaps the Query class itself, to support a better nothing of sortable columns than passing text strings that get appended to the query.  What we are doing now is bad, and we should NOT be encouraging people to do it like that.  




> Support protection against SQL injection in Query order parameter
> -----------------------------------------------------------------
>
>                 Key: JBSEAM-2099
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-2099
>             Project: JBoss Seam
>          Issue Type: Patch
>          Components: Framework
>    Affects Versions: 2.0.0.CR2
>            Reporter: Diego Ballve
>         Assigned To: Norman Richards
>            Priority: Critical
>             Fix For: 2.0.0.GA
>
>         Attachments: Query.diff
>
>
> From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
> The 'order' parameter gets directly concatenaded to the query.. that would allow anything to get injected in the query, possibly resulting in a security threat. This patch gives the developer extending framework Query the chance to limit the acceptable order properties.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira