New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make postConditions() less permissive. #11526

Merged
merged 3 commits into from Dec 15, 2017

Conversation

Projects
None yet
2 participants
@markstory
Member

markstory commented Dec 11, 2017

We were notified by ooooooo_q that postConditions() is vulnerable to SQL injection if used without SecurityComponent tampering prevention.

This change attempts to make postConditions() safer by exploding in unsafe scenarios.

Make postConditions() less permissive.
We were notified by `ooooooo_q` that postConditions() is vulnerable to
SQL injection if used without SecurityComponent tampering prevention.

This change attempts to make postConditions() safer by exploding in
unsafe scenarios.

@markstory markstory added this to the 2.10.6 milestone Dec 11, 2017

@chinpei215

This comment has been minimized.

Show comment
Hide comment
@chinpei215

chinpei215 Dec 12, 2017

Member

Looks good to me. I also think a permitted list is better than a ban list.

Member

chinpei215 commented Dec 12, 2017

Looks good to me. I also think a permitted list is better than a ban list.

markstory added some commits Dec 11, 2017

Use a permitted list instead of a ban list.
This should be safer as we are more confident on what is coming in.

@markstory markstory self-assigned this Dec 13, 2017

@markstory markstory merged commit 3bf93b7 into 2.x Dec 15, 2017

2 of 5 checks passed

continuous-integration/appveyor/branch AppVeyor build failed
Details
continuous-integration/appveyor/pr AppVeyor build failed
Details
continuous-integration/travis-ci/push The Travis CI build failed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
stickler-ci Pull request targets an ignored branch

@markstory markstory deleted the post-conditions branch Dec 15, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment