-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect handling of permalink values (possible SQL injection) #1505
Comments
This has now been fixed in 1-1-stable and master. Thanks for bringing this to our attention. |
I have reverted this fix in 1-1-stable and master because it led to the broken build for spree_volume_pricing, showing this issue: http://travis-ci.org/#!/spree/spree_volume_pricing/jobs/1272629 Could you please look into a patch for this issue that would not cause this issue? Thanks. |
radar, read the issue description, I have already outlined the proper fix. other = self.class.where("#{field} LIKE ?", "#{permalink_value}%").all We can go even more paranoid and escape special chars: other = self.class.where("#{field} LIKE ?", "#{permalink_value.gsub(/[%_]/) { |c| '\'+c }}%").all Although I think this should be part of DB adapter. |
Please see the broken build I linked to above. Your solution causes that SQL error. Please devise an alternate solution. |
What was committed and broke the build differs from my solution. Please, read carefully. |
spree#1505" This reverts commit 73f2b34. This causes double quoting. Need to investigate an alternative fix.
Any update on this? |
In lib/spree/core/permalinks.rb there is save_permalink() method that ensures permalink uniqueness.
There is code
If permalink value contains "'" (single quote) character, the rest of permalink is treated as SQL statement (causing treats from non-working functionality to SQL injections).
The problem is seen in normal (non-hacker) use when permalink is generated from russian product names: some russian char combinations translate into single quotes thus exposing this issue.
The proper way would be to use sql argument substitution:
The text was updated successfully, but these errors were encountered: