[jira] [Commented] (SYNCOPE-416) AttributableSearchDAOImpl / Avoid query construction with string concatenation
[
https://issues.apache.org/jira/browse/SYNCOPE-416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771687#comment-13771687
]
Francesco Chicchiriccò commented on SYNCOPE-416:
No special reason, I guess it was only residual from many upgrades that class
had over time.
> AttributableSearchDAOImpl / Avoid query construction with string concatenation
> --
>
> Key: SYNCOPE-416
> URL: https://issues.apache.org/jira/browse/SYNCOPE-416
> Project: Syncope
> Issue Type: Improvement
> Components: core
>Affects Versions: 1.1.3, 1.2.0
>Reporter: Guido Wimmel
>Priority: Minor
> Fix For: 1.1.4, 1.2.0
>
>
> Is there any reason why in
> org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419
> the like condition is appended by string concatenation?
> query.append(" LIKE '").append(cond.getExpression()).append("'");
> IMO this could open up a possible SQL injection vulnerability.
> In AttributableSearchDAOImpl:387 a query parameter is used, as I would have
> expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SYNCOPE-416) AttributableSearchDAOImpl / Avoid query construction with string concatenation
[
https://issues.apache.org/jira/browse/SYNCOPE-416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771862#comment-13771862
]
Hudson commented on SYNCOPE-416:
SUCCESS: Integrated in Syncope-1_1_X #108 (See
[https://builds.apache.org/job/Syncope-1_1_X/108/])
[SYNCOPE-416] Suggestion applied (ilgrosso: rev 1524713)
*
/syncope/branches/1_1_X/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/AttributableSearchDAOImpl.java
> AttributableSearchDAOImpl / Avoid query construction with string concatenation
> --
>
> Key: SYNCOPE-416
> URL: https://issues.apache.org/jira/browse/SYNCOPE-416
> Project: Syncope
> Issue Type: Improvement
> Components: core
>Affects Versions: 1.1.3, 1.2.0
>Reporter: Guido Wimmel
>Assignee: Francesco Chicchiriccò
>Priority: Minor
> Fix For: 1.1.4, 1.2.0
>
>
> Is there any reason why in
> org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419
> the like condition is appended by string concatenation?
> query.append(" LIKE '").append(cond.getExpression()).append("'");
> IMO this could open up a possible SQL injection vulnerability.
> In AttributableSearchDAOImpl:387 a query parameter is used, as I would have
> expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SYNCOPE-416) AttributableSearchDAOImpl / Avoid query construction with string concatenation
[
https://issues.apache.org/jira/browse/SYNCOPE-416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771909#comment-13771909
]
Hudson commented on SYNCOPE-416:
SUCCESS: Integrated in Syncope-trunk #450 (See
[https://builds.apache.org/job/Syncope-trunk/450/])
[SYNCOPE-416] Merge from 1_1_X (ilgrosso: rev 1524714)
* /syncope/trunk
*
/syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/AttributableSearchDAOImpl.java
> AttributableSearchDAOImpl / Avoid query construction with string concatenation
> --
>
> Key: SYNCOPE-416
> URL: https://issues.apache.org/jira/browse/SYNCOPE-416
> Project: Syncope
> Issue Type: Improvement
> Components: core
>Affects Versions: 1.1.3, 1.2.0
>Reporter: Guido Wimmel
>Assignee: Francesco Chicchiriccò
>Priority: Minor
> Fix For: 1.1.4, 1.2.0
>
>
> Is there any reason why in
> org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419
> the like condition is appended by string concatenation?
> query.append(" LIKE '").append(cond.getExpression()).append("'");
> IMO this could open up a possible SQL injection vulnerability.
> In AttributableSearchDAOImpl:387 a query parameter is used, as I would have
> expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
