Incorrect handling of permalink values (possible SQL injection) #1505
Comments
|
This has now been fixed in 1-1-stable and master. Thanks for bringing this to our attention. |
|
I have reverted this fix in 1-1-stable and master because it led to the broken build for spree_volume_pricing, showing this issue: http://travis-ci.org/#!/spree/spree_volume_pricing/jobs/1272629 Could you please look into a patch for this issue that would not cause this issue? Thanks. |
|
radar, read the issue description, I have already outlined the proper fix. other = self.class.where("#{field} LIKE ?", "#{permalink_value}%").allWe can go even more paranoid and escape special chars: other = self.class.where("#{field} LIKE ?", "#{permalink_value.gsub(/[%_]/) { |c| '\'+c }}%").allAlthough I think this should be part of DB adapter. |
|
Please see the broken build I linked to above. Your solution causes that SQL error. Please devise an alternate solution. |
|
What was committed and broke the build differs from my solution. Please, read carefully. |
spree#1505" This reverts commit 73f2b34. This causes double quoting. Need to investigate an alternative fix.
|
Any update on this? |
In lib/spree/core/permalinks.rb there is save_permalink() method that ensures permalink uniqueness.
There is code
If permalink value contains "'" (single quote) character, the rest of permalink is treated as SQL statement (causing treats from non-working functionality to SQL injections).
The problem is seen in normal (non-hacker) use when permalink is generated from russian product names: some russian char combinations translate into single quotes thus exposing this issue.
The proper way would be to use sql argument substitution:
The text was updated successfully, but these errors were encountered: