Possible SQL Injection problems using order parameter in will paginate 2.3.15 #243

Closed
njvitto opened this Issue May 24, 2012 · 1 comment

Comments

Projects
None yet
2 participants

njvitto commented May 24, 2012

If you look here at method "paginate": https://github.com/mislav/will_paginate/blob/v2.3.15/lib/will_paginate/finder.rb

You can see that's used the method_missing to go to find_by_sql in some cases that through the "order" parameter can be exposed to sql injection attacks.

Someone already solved this possible issue?

Thx,
Nicola.

Owner

mislav commented Jan 10, 2013

A simple solution would be to not let users be able to define the order parameter directly.

Still, I can't see the attack vector that you describe. paginate_by_sql doesn't take an "order" parameter.

@mislav mislav closed this Jan 10, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment