csteipp created this task. csteipp added subscribers: JanZerebecki, Jonaskeutel, Tamslo, csteipp, Andreasburmeister, Liuxinyu970226, Aklapper, Wikibase-Quality-External-Validation. csteipp added projects: Wikibase-Quality, Wikidata, Security-Reviews, Wikibase-Quality-External-Validation.
TASK DESCRIPTION Since $dumpMetaTableName and $identifierPropertiesTableName are used in raw queries, with on $db->tableName() called on them, they need to strictly validate that the name is a simple string and does not contain sql. Database::tableName() is not safe for preventing sql injection. It looks like you can validate that they match /[a-z_]+/. TASK DETAIL https://phabricator.wikimedia.org/T103439 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Wikibase-Quality-External-Validation, Aklapper, Liuxinyu970226, Andreasburmeister, csteipp, Tamslo, Jonaskeutel, JanZerebecki, Wikidata-bugs, aude, Malyacko, P.Copp _______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs