Tracker: Bugs
Hi,
info classes (the ones that extends Info) are correctly using
PrepareStatement and setXXX methods to fill query parameters. Instead
InfoGeneral just add strings to the query into addSQLWhere method. This way
if you have a special character (like a single quote) inside a field, is
not escaped and oracle throws an error.
For instance if you search for a user whose name is D'Amico, you got an
error into the log and no record is retrieved (you must manually escape the
quote with a second one).
I changed the source to match the behaviour of the other InfoXXX classes
Regards
Angelo Dabala'
Carlos Ruiz
Technical
Core
Public
Comments ( 3 )
|
Date: 2009-11-21 02:20 This Tracker item was closed automatically by the system. It was |
|
Date: 2009-11-06 14:13 Fixed also in zkwebui with revision 10904 |
|
Date: 2009-11-06 13:48 Thanks Angelo, this can be considered a security issue (it can be exploited |
Attached File ( 1 )
| Filename | Description | Download |
|---|---|---|
| InfoGeneral.java | updated class | Download |
Changes ( 11 )
| Field | Old Value | Date | By |
|---|---|---|---|
| close_date | 2009-11-06 13:48 | 2009-11-21 02:20 | sf-robot |
| status_id | Pending | 2009-11-21 02:20 | sf-robot |
| allow_comments | 1 | 2009-11-21 02:20 | sf-robot |
| category_id | None | 2009-11-06 13:48 | globalqss |
| artifact_group_id | None | 2009-11-06 13:48 | globalqss |
| assigned_to | nobody | 2009-11-06 13:48 | globalqss |
| close_date | - | 2009-11-06 13:48 | globalqss |
| priority | 5 | 2009-11-06 13:48 | globalqss |
| status_id | Open | 2009-11-06 13:48 | globalqss |
| resolution_id | None | 2009-11-06 13:48 | globalqss |
| File Added | 349761: InfoGeneral.java | 2009-11-06 11:49 | genied |
