Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[media] Fix SQL injection #8908

Merged
merged 1 commit into from
Oct 3, 2023
Merged

[media] Fix SQL injection #8908

merged 1 commit into from
Oct 3, 2023

Conversation

driusan
Copy link
Collaborator

@driusan driusan commented Oct 2, 2023

This fixes 2 problems with the SQL in the media FileUpload?action=getData endpoint

  1. There is an obvious SQL injection attack where user input from the request is directly concatenated into a string that's passed to the database.
  2. There was an unnecessary sub-select that could have been a join

This whole section of the code is a mess that should to be re-written, but this PR just tackles the urgent string concatenation.

@driusan driusan added Security PR patches a vulnerability, makes resource access changes, or updates dependencies Priority: High PR or issue should be prioritised over others for review and testing labels Oct 2, 2023
@driusan
[media] Fix problematic SQL
0bf6cd0 
This fixes 2 problems with the SQL in the media FileUpload?action=getData
endpoint
1. There is an obvious SQL injection attack where user input from the
   request is directly concatenated into a string that's passed to the
   database.
2. There was an unnecessary sub-select that could have been a join

This whole section of the code is a mess that should to be re-written,
but this PR just tackles the urgent string concatenation.
@driusan driusan changed the base branch from 25.0-release to 24.1-release October 2, 2023 18:02
@driusan driusan closed this Oct 2, 2023
@driusan driusan reopened this Oct 2, 2023
@CamilleBeau CamilleBeau added the Passed Manual Tests PR has undergone proper testing by at least one peer label Oct 3, 2023
@CamilleBeau
Copy link
Contributor

Tested and reviewed, working well and looks good.

@xlecours
Copy link
Contributor

xlecours commented Oct 3, 2023

@driusan , can we get this merge today? I would like to have it on HBCD and tomorrow would be ideal because it's maintenance day.
Thank you

@driusan driusan merged commit 9b08f46 into aces:24.1-release Oct 3, 2023
9 checks passed
@driusan
Copy link
Collaborator Author

driusan commented Oct 3, 2023

@xlecours @CamilleBeau reviewed and approved it so yes.

Do you need the release tagged today or just the PR merged?

@xlecours
Copy link
Contributor

xlecours commented Oct 3, 2023

@driusan it can wait tomorrow

@ridz1208 ridz1208 added this to the 24.1.5 milestone Nov 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CamilleBeau CamilleBeau CamilleBeau approved these changes

Assignees
No one assigned
Labels
Passed Manual Tests PR has undergone proper testing by at least one peer Priority: High PR or issue should be prioritised over others for review and testing Security PR patches a vulnerability, makes resource access changes, or updates dependencies
Projects
None yet
Milestone
24.1.5
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@driusan @CamilleBeau @xlecours @ridz1208