MantisBT - CDash
View Issue Details

ID	Project	Category	View Status	Date Submitted	Last Update
0007504	CDash		public	2008-08-19 18:02	2008-08-20 07:40

Reporter	Uli M
Assigned To	Julien Jomier
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Platform		OS		OS Version
Product Version
Target Version		Fixed in Version	1.2

Summary	0007504: <DartMeasurement> output is not SQL-escaped
Description	Downsides are that you can't upload files with ' in them. Well and then there's of course SQL injection...(which is why I tagged this major). Patch attached. On a side note: I'm uploading text/string and not text/html which seems to be unsupported. Stuff gets displayed in one line and xml fragments vanish. Had to add a tag in testDetails.xsl file and remove the disable-output-escaping flag. I would think that should be the default behavior for non-html input. Oh and why do you document a base64 encoding attribute if it's really only used for images. By the way documentation is the hardest thing about ctest/cdash...you can't trust what you read because half of it is outdated or just a proposal and not what's really implemented. Anyway, thanks for the cool software ;)
Steps To Reproduce
Additional Information
Tags	No tags attached.
Relationships
Attached Files	cdash-measurement-sql-escape.patch (744) 2008-08-19 18:02 https://public.kitware.com/Bug/file/1667/cdash-measurement-sql-escape.patch

Issue History
Date Modified	Username	Field	Change
2008-08-19 18:02	Uli M	New Issue
2008-08-19 18:02	Uli M	File Added: cdash-measurement-sql-escape.patch
2008-08-19 18:11	Julien Jomier	Status	new => assigned
2008-08-19 18:11	Julien Jomier	Assigned To	=> Julien Jomier
2008-08-19 18:11	Julien Jomier	Note Added: 0013092
2008-08-20 02:21	Uli M	Note Added: 0013106
2008-08-20 07:40	Julien Jomier	Status	assigned => closed
2008-08-20 07:40	Julien Jomier	Note Added: 0013108
2008-08-20 07:40	Julien Jomier	Resolution	open => fixed
2008-08-20 07:40	Julien Jomier	Fixed in Version	=> 1.2

Notes