Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible SQL Injection problems using order parameter in will paginate 2.3.15 #243

Closed
njvitto opened this issue May 24, 2012 · 1 comment
Closed

Possible SQL Injection problems using order parameter in will paginate 2.3.15 #243

njvitto opened this issue May 24, 2012 · 1 comment
Labels
invalid

Comments

@njvitto
Copy link

njvitto commented May 24, 2012

If you look here at method "paginate": https://github.com/mislav/will_paginate/blob/v2.3.15/lib/will_paginate/finder.rb

You can see that's used the method_missing to go to find_by_sql in some cases that through the "order" parameter can be exposed to sql injection attacks.

Someone already solved this possible issue?

Thx,
Nicola.
@mislav
Copy link
Owner

mislav commented Jan 10, 2013

A simple solution would be to not let users be able to define the order parameter directly.

Still, I can't see the attack vector that you describe. paginate_by_sql doesn't take an "order" parameter.

@mislav mislav closed this as completed Jan 10, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mislav @njvitto