[ https://issues.apache.org/jira/browse/SYNCOPE-416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771862#comment-13771862 ]
Hudson commented on SYNCOPE-416: -------------------------------- SUCCESS: Integrated in Syncope-1_1_X #108 (See [https://builds.apache.org/job/Syncope-1_1_X/108/]) [SYNCOPE-416] Suggestion applied (ilgrosso: rev 1524713) * /syncope/branches/1_1_X/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/AttributableSearchDAOImpl.java > AttributableSearchDAOImpl / Avoid query construction with string concatenation > ------------------------------------------------------------------------------ > > Key: SYNCOPE-416 > URL: https://issues.apache.org/jira/browse/SYNCOPE-416 > Project: Syncope > Issue Type: Improvement > Components: core > Affects Versions: 1.1.3, 1.2.0 > Reporter: Guido Wimmel > Assignee: Francesco Chicchiriccò > Priority: Minor > Fix For: 1.1.4, 1.2.0 > > > Is there any reason why in > org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419 > the like condition is appended by string concatenation? > query.append(" LIKE '").append(cond.getExpression()).append("'"); > IMO this could open up a possible SQL injection vulnerability. > In AttributableSearchDAOImpl:387 a query parameter is used, as I would have > expected. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira