Hello,
> strbuf_sprintf(sql, "select dat, extra from %s where key = '%s' limit 1",
> dbop->tblname, name);
I will use sqlite3_mprintf() instead.
char *sql = sqlite3_mprintf("select dat, extra from %s where key =
'%q' limit 1", dbop->tblname, name);
Thank you for pointing out the problem!
Regards,
Shigio
On Wed, Oct 22, 2025 at 10:41 AM Tim Becker <[email protected]> wrote:
>
> In libutil/dbop.c, dbop_get calls dbop3_get when using the sqlite3 backend.
> dbop3_get prepares a sqlite3 query is prepared as follows:
>
> strbuf_sprintf(sql, "select dat, extra from %s where key = '%s' limit 1",
> dbop->tblname, name);
>
> If the `name` character contains a single-quote character, a SQL injection
> can occur.
>
> dbop_get can be called with unsanitized values, e.g. raw path strings when
> inserting paths into GPATH.
>
> As a result, running gtags in sqlite3 mode on a source tree containing a path
> with a single-quote may fail or execute unintended sql queries.
>
> A fix may involve using a prepared statement, or properly sql-escaping the
> `name` parameter.
>
> Note: this bug was found by Theori's Xint Code analysis.
>
> Thanks,
> Tim Becker
> Theori
--
Shigio YAMAGUCHI <[email protected]>
PGP fingerprint:
26F6 31B4 3D62 4A92 7E6F 1C33 969C 3BE3 89DD A6EB
