Patch Set 1: (1 comment)
https://gerrit.osmocom.org/#/c/5205/1/src/libmsc/db.c File src/libmsc/db.c: Line 197: dbi_result queryf(dbi_conn conn, const char *format, ...) > That's just SQL injection waiting to happen. Too bad libdbi does not suppor Our invocation of libdbi has always worked like this, and libdbi is only here for legacy reasons. We won't spend more time than strictly necessary on dbi now. I needed this to figure out what was going on during two recent error reports, but we're not going to refactor the way dbi works at this point. When calling those dbi quoting functions, presumably code injection is thwarted. Related: https://osmocom.org/issues/1591 -- It looks like we would even rather implement a separate SMSC instead of revamping this to use sqlite directly. -- To view, visit https://gerrit.osmocom.org/5205 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I4171dad8ffffbf634a75dedde752d82c51ff7803 Gerrit-PatchSet: 1 Gerrit-Project: osmo-msc Gerrit-Branch: master Gerrit-Owner: Neels Hofmeyr <[email protected]> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: Max <[email protected]> Gerrit-Reviewer: Neels Hofmeyr <[email protected]> Gerrit-HasComments: Yes
