Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Possible SQL Injection problems using order parameter in will paginate 2.3.15 #243

Closed
njvitto opened this Issue · 1 comment

2 participants

@njvitto

If you look here at method "paginate": https://github.com/mislav/will_paginate/blob/v2.3.15/lib/will_paginate/finder.rb

You can see that's used the method_missing to go to find_by_sql in some cases that through the "order" parameter can be exposed to sql injection attacks.

Someone already solved this possible issue?

Thx,
Nicola.

@mislav
Owner

A simple solution would be to not let users be able to define the order parameter directly.

Still, I can't see the attack vector that you describe. paginate_by_sql doesn't take an "order" parameter.

@mislav mislav closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.