New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove more special characters from sql query #107
Comments
Since the use of pattern matching (MySQL, etc) / regular expressions (dirtydb) may be a wanted behavior, it would be great to implement an |
Responsible disclosure..... |
This issue already public on etherpad repository for months :-/ By the way, I tried to contact you about this subject (but not only) two days ago by email. |
Did your email bounce? Did you get a response? I haven't seen anything... ;\ I have been handling other CVE and Security related topics successfully over the previous months with no major problems. |
Just so understand the scope of this bug:
Steps to replicate.
I am going to bring up an instance now to test on. FAQ:
|
No and no :-/ Tried your personal email and contact@etherpad.org. |
I'm unable to replicate this bug on latest windows release.. See my steps to replicate above. http://127.0.0.1:9001/p/test%/export/html returns an error, doesn't dump any user data. |
This issue is worse than this and I can provide you a working proof-of-concept, but not here in public. |
Email me it please :) I'm at my desk right now.. |
There is a bug in etherpad-lite that allows you to download all pads.
They pointed out that this might be a bug in ueberDB.
Here some special characters get removed.
https://github.com/Pita/ueberDB/blob/5c2ef4dc1476ef24bc475885817816c3e602ec8b/mysql_db.js#L133
_ (and possible more) is a special character as well.
See:
https://dev.mysql.com/doc/refman/5.7/en/pattern-matching.html
ether/etherpad-lite#3169
The text was updated successfully, but these errors were encountered: