View Issue Details [ Jump to Notes ] | [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0007504 | CDash | public | 2008-08-19 18:02 | 2008-08-20 07:40 | |||||
Reporter | Uli M | ||||||||
Assigned To | Julien Jomier | ||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | |||||||||
Target Version | Fixed in Version | 1.2 | |||||||
Summary | 0007504: <DartMeasurement> output is not SQL-escaped | ||||||||
Description | Downsides are that you can't upload files with ' in them. Well and then there's of course SQL injection...(which is why I tagged this major). Patch attached. On a side note: I'm uploading text/string and not text/html which seems to be unsupported. Stuff gets displayed in one line and xml fragments vanish. Had to add a tag in testDetails.xsl file and remove the disable-output-escaping flag. I would think that should be the default behavior for non-html input. Oh and why do you document a base64 encoding attribute if it's really only used for images. By the way documentation is the hardest thing about ctest/cdash...you can't trust what you read because half of it is outdated or just a proposal and not what's really implemented. Anyway, thanks for the cool software ;) | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | cdash-measurement-sql-escape.patch [^] (744 bytes) 2008-08-19 18:02 [Show Content] | ||||||||
Relationships | |
Relationships |
Notes | |
(0013092) Julien Jomier (manager) 2008-08-19 18:11 |
What version of CDash are you using? I think we fixed this issue recently. Thanks for the report. |
(0013106) Uli M (reporter) 2008-08-20 02:21 |
I used revision 1069 (see the patch). Current HEAD(rev 1084) looks the same to me besides some added viewvc stuff. So I think the problem persists! |
(0013108) Julien Jomier (manager) 2008-08-20 07:40 |
I should have looked at the patch :). I've put the patch in SVN. Thanks for the report and providing a fix. |
Notes |
Issue History | |||
Date Modified | Username | Field | Change |
2008-08-19 18:02 | Uli M | New Issue | |
2008-08-19 18:02 | Uli M | File Added: cdash-measurement-sql-escape.patch | |
2008-08-19 18:11 | Julien Jomier | Status | new => assigned |
2008-08-19 18:11 | Julien Jomier | Assigned To | => Julien Jomier |
2008-08-19 18:11 | Julien Jomier | Note Added: 0013092 | |
2008-08-20 02:21 | Uli M | Note Added: 0013106 | |
2008-08-20 07:40 | Julien Jomier | Status | assigned => closed |
2008-08-20 07:40 | Julien Jomier | Note Added: 0013108 | |
2008-08-20 07:40 | Julien Jomier | Resolution | open => fixed |
2008-08-20 07:40 | Julien Jomier | Fixed in Version | => 1.2 |
Issue History |
Copyright © 2000 - 2018 MantisBT Team |