[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2931) CLONE -Support protection against SQL injection in Query order parameter
Felix Ho?feld (JIRA)
jira-events at lists.jboss.org
Mon Apr 28 12:01:08 EDT 2008
[ http://jira.jboss.com/jira/browse/JBSEAM-2931?page=comments#action_12410942 ]
Felix Ho?feld commented on JBSEAM-2931:
---------------------------------------
Fair enough but I think that restriction should be mentioned into the docs because function based sorting is quite common.
And it would also be nice if the error message would be more informative, e.g. "Invalid order clause \" + order +"\". Your order clause must not contain any special charcters."
> CLONE -Support protection against SQL injection in Query order parameter
> ------------------------------------------------------------------------
>
> Key: JBSEAM-2931
> URL: http://jira.jboss.com/jira/browse/JBSEAM-2931
> Project: Seam
> Issue Type: Patch
> Components: Framework
> Affects Versions: 2.0.1.GA
> Reporter: Felix Ho?feld
> Assigned To: Norman Richards
> Fix For: 2.0.2.CR1
>
>
> From http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119810
> The 'order' parameter gets directly concatenaded to the query.. that would allow anything to get injected in the query, possibly resulting in a security threat. This patch gives the developer extending framework Query the chance to limit the acceptable order properties.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list