[Bug 259776] Re: MIR for obm
Kees Cook
kees at ubuntu.com
Wed Jan 28 00:39:25 UTC 2009
I've got to reject this. There has been absolutely no attempt to
protect this application from SQL injection.
For example:
function check_privacy($module, $table, $action, $id='', $p_uid='') {
...
$query = "SELECT $field_pri, $field_uc FROM $table WHERE $field_id = '$id'";
$obm_q = new DB_OBM;
$obm_q->query($query);
...
$params = get_list_params();
...
if (! check_privacy($module, "List", $action, $params["list_id"], $obm["uid"])) {
where get_list_params is virtually untouched $_POST values.
Before this gets further review, all database use should be correctly parameterized. And it's not a short list, I'm afraid:
$ fgrep -Ri -- '->query($query);' . | wc -l
977
** Changed in: obm (Ubuntu)
Assignee: Kees Cook (kees) => (unassigned)
Status: In Progress => Won't Fix
--
MIR for obm
https://bugs.launchpad.net/bugs/259776
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list