Guido Wimmel created SYNCOPE-416:
------------------------------------
Summary: AttributableSearchDAOImpl / Avoid query construction with
string concatenation
Key: SYNCOPE-416
URL: https://issues.apache.org/jira/browse/SYNCOPE-416
Project: Syncope
Issue Type: Improvement
Components: core
Affects Versions: 1.1.3, 1.2.0
Reporter: Guido Wimmel
Priority: Minor
Is there any reason why in
org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419
the like condition is appended by string concatenation?
query.append(" LIKE '").append(cond.getExpression()).append("'");
IMO this could open up a possible SQL injection vulnerability.
In AttributableSearchDAOImpl:387 a query parameter is used, as I would have
expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
