View Issue Details [ Jump to Notes ]

[ Print ]

Project

Category

View Status

Date Submitted

Last Update

0007504

CDash

public

2008-08-19 18:02

2008-08-20 07:40

Reporter

Uli M

Assigned To

Julien Jomier

Priority

normal

Severity

major

Reproducibility

always

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

Target Version

Fixed in Version

1.2

Summary

0007504: <DartMeasurement> output is not SQL-escaped

Description

Downsides are that you can't upload files with ' in them. Well and then there's of course SQL injection...(which is why I tagged this major). Patch attached.

On a side note: I'm uploading text/string and not text/html which seems to be unsupported. Stuff gets displayed in one line and xml fragments vanish. Had to add a

 tag in testDetails.xsl file and remove the disable-output-escaping flag. I would think that should be the default behavior for non-html input. Oh and why do you document a base64 encoding attribute if it's really only used for images. By the way documentation is the hardest thing about ctest/cdash...you can't trust what you read because half of it is outdated or just a proposal and not what's really implemented. Anyway, thanks for the cool software ;)

Tags

No tags attached.

Attached Files

cdash-measurement-sql-escape.patch [^] (744 bytes) 2008-08-19 18:02 [Show Content] [Hide Content]

Index: common.php
===================================================================
--- common.php	(revision 1069)
+++ common.php	(working copy)
@@ -1485,9 +1485,9 @@
       // Insert the measurements  
       foreach($measurements as $measurement)
         {
-        $name = $measurement['name'];
-        $type = $measurement['type'];
-        $value = $measurement['value'];
+        $name = pdo_real_escape_string($measurement['name']);
+        $type = pdo_real_escape_string($measurement['type']);
+        $value = pdo_real_escape_string($measurement['value']);
         $query = "INSERT INTO testmeasurement (testid,name,type,value) 
                   VALUES ('$testid','$name','$type','$value')";
         if(!pdo_query("$query"))

Relationships

Notes
(0013092) Julien Jomier (manager) 2008-08-19 18:11	What version of CDash are you using? I think we fixed this issue recently. Thanks for the report.

(0013106) Uli M (reporter) 2008-08-20 02:21	I used revision 1069 (see the patch). Current HEAD(rev 1084) looks the same to me besides some added viewvc stuff. So I think the problem persists!

(0013108) Julien Jomier (manager) 2008-08-20 07:40	I should have looked at the patch :). I've put the patch in SVN. Thanks for the report and providing a fix.

Issue History
Date Modified	Username	Field	Change
2008-08-19 18:02	Uli M	New Issue
2008-08-19 18:02	Uli M	File Added: cdash-measurement-sql-escape.patch
2008-08-19 18:11	Julien Jomier	Status	new => assigned
2008-08-19 18:11	Julien Jomier	Assigned To	=> Julien Jomier
2008-08-19 18:11	Julien Jomier	Note Added: 0013092
2008-08-20 02:21	Uli M	Note Added: 0013106
2008-08-20 07:40	Julien Jomier	Status	assigned => closed
2008-08-20 07:40	Julien Jomier	Note Added: 0013108
2008-08-20 07:40	Julien Jomier	Resolution	open => fixed
2008-08-20 07:40	Julien Jomier	Fixed in Version	=> 1.2