[jira] [Commented] (SYNCOPE-416) AttributableSearchDAOImpl / Avoid query construction with string concatenation
[ https://issues.apache.org/jira/browse/SYNCOPE-416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771687#comment-13771687 ] Francesco Chicchiriccò commented on SYNCOPE-416: No special reason, I guess it was only residual from many upgrades that class had over time. > AttributableSearchDAOImpl / Avoid query construction with string concatenation > -- > > Key: SYNCOPE-416 > URL: https://issues.apache.org/jira/browse/SYNCOPE-416 > Project: Syncope > Issue Type: Improvement > Components: core >Affects Versions: 1.1.3, 1.2.0 >Reporter: Guido Wimmel >Priority: Minor > Fix For: 1.1.4, 1.2.0 > > > Is there any reason why in > org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419 > the like condition is appended by string concatenation? > query.append(" LIKE '").append(cond.getExpression()).append("'"); > IMO this could open up a possible SQL injection vulnerability. > In AttributableSearchDAOImpl:387 a query parameter is used, as I would have > expected. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SYNCOPE-416) AttributableSearchDAOImpl / Avoid query construction with string concatenation
[ https://issues.apache.org/jira/browse/SYNCOPE-416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771862#comment-13771862 ] Hudson commented on SYNCOPE-416: SUCCESS: Integrated in Syncope-1_1_X #108 (See [https://builds.apache.org/job/Syncope-1_1_X/108/]) [SYNCOPE-416] Suggestion applied (ilgrosso: rev 1524713) * /syncope/branches/1_1_X/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/AttributableSearchDAOImpl.java > AttributableSearchDAOImpl / Avoid query construction with string concatenation > -- > > Key: SYNCOPE-416 > URL: https://issues.apache.org/jira/browse/SYNCOPE-416 > Project: Syncope > Issue Type: Improvement > Components: core >Affects Versions: 1.1.3, 1.2.0 >Reporter: Guido Wimmel >Assignee: Francesco Chicchiriccò >Priority: Minor > Fix For: 1.1.4, 1.2.0 > > > Is there any reason why in > org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419 > the like condition is appended by string concatenation? > query.append(" LIKE '").append(cond.getExpression()).append("'"); > IMO this could open up a possible SQL injection vulnerability. > In AttributableSearchDAOImpl:387 a query parameter is used, as I would have > expected. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SYNCOPE-416) AttributableSearchDAOImpl / Avoid query construction with string concatenation
[ https://issues.apache.org/jira/browse/SYNCOPE-416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771909#comment-13771909 ] Hudson commented on SYNCOPE-416: SUCCESS: Integrated in Syncope-trunk #450 (See [https://builds.apache.org/job/Syncope-trunk/450/]) [SYNCOPE-416] Merge from 1_1_X (ilgrosso: rev 1524714) * /syncope/trunk * /syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/AttributableSearchDAOImpl.java > AttributableSearchDAOImpl / Avoid query construction with string concatenation > -- > > Key: SYNCOPE-416 > URL: https://issues.apache.org/jira/browse/SYNCOPE-416 > Project: Syncope > Issue Type: Improvement > Components: core >Affects Versions: 1.1.3, 1.2.0 >Reporter: Guido Wimmel >Assignee: Francesco Chicchiriccò >Priority: Minor > Fix For: 1.1.4, 1.2.0 > > > Is there any reason why in > org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419 > the like condition is appended by string concatenation? > query.append(" LIKE '").append(cond.getExpression()).append("'"); > IMO this could open up a possible SQL injection vulnerability. > In AttributableSearchDAOImpl:387 a query parameter is used, as I would have > expected. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira