From: Francois P. <fx....@gm...> - 2011-05-25 06:46:04
|
Thanks Pierre. Applied http://trac.osgeo.org/geonetwork/ticket/510. Francois 2011/5/18 Pierre Mauduit <pie...@ca...>: > Hello, > While adapting the resources.get service (need to have the possibility to > call it using uuid), I found out a possible way to exploit a SQL injection > flaw (in case of having activated the "notify by email" option), because one > of the SQL query done in the resources/Download.java file is not > "protected". > Please find attached a patch which aims to fix this issue (untested but > inspired from another similar fixes). > Hth, > -- > Pierre Mauduit > > Camptocamp France SAS > Savoie Technolac, BP 352 > 73377 Le Bourget du Lac Cedex > Tel : + 33 (0)4 79 44 44 92 > http://www.camptocamp.com > pie...@ca... > > ------------------------------------------------------------------------------ > What Every C/C++ and Fortran developer Should Know! > Read this article and learn how Intel has extended the reach of its > next-generation tools to help Windows* and Linux* C/C++ and Fortran > developers boost performance applications - including clusters. > http://p.sf.net/sfu/intel-dev2devmay > _______________________________________________ > GeoNetwork-devel mailing list > Geo...@li... > https://lists.sourceforge.net/lists/listinfo/geonetwork-devel > GeoNetwork OpenSource is maintained at > http://sourceforge.net/projects/geonetwork > |