[jira] [Updated] (SYNCOPE-416) AttributableSearchDAOImpl / Avoid query construction with string concatenation

JIRA Thu, 19 Sep 2013 01:14:54 -0700

     [ 
https://issues.apache.org/jira/browse/SYNCOPE-416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Francesco Chicchiriccò updated SYNCOPE-416:
-------------------------------------------

    Fix Version/s: 1.2.0
                   1.1.4
    
> AttributableSearchDAOImpl / Avoid query construction with string concatenation
> ------------------------------------------------------------------------------
>
>                 Key: SYNCOPE-416
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-416
>             Project: Syncope
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.1.3, 1.2.0
>            Reporter: Guido Wimmel
>            Priority: Minor
>             Fix For: 1.1.4, 1.2.0
>
>
> Is there any reason why in 
> org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419
> the like condition is appended by string concatenation?
>     query.append(" LIKE '").append(cond.getExpression()).append("'");
> IMO this could open up a possible SQL injection vulnerability.
> In AttributableSearchDAOImpl:387 a query parameter is used, as I would have 
> expected.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (SYNCOPE-416) AttributableSearchDAOImpl / Avoid query construction with string concatenation

Reply via email to