Hello Gary,
Thanks for reporting this.
Gary wrote:
>
> I'm not sure of whether this bug is specific to Jyve in general, or just
> the current implementation of it on locus.apache.org,
Jyve in general, from looking at the code here:
http://www.working-dogs.com/jyve/cvsweb/index.cgi/jyve/src/java/org/apache/jyve/screens/SearchResults.java?rev=1.6&content-type=text/x-cvsweb-markup
Here's a simple idea for a fix; is this too expensive/clumsy? Note: not
a patch or a diff yet, just seeking feedback...
private String removeChars(String s)
{
/**
*Remove punctuation, regexp chars, etc. from the string.
*/
char[] REMOVE_CHAR = { '!' , '#' , '$' , '%' , '&' , '\'' ,
'(' , ')' , '*' , '+' , ',' ,
'-' , '.' , '/' , ':' , ';' , '<' ,
'=' , '.' , '?' , '@' , '[' , '\\' ,
']' , '^' , '_' , '`' , '{' , '|' ,
'}' , '~' };
for (int i = 0; i < REMOVE_CHAR.length; i++)
s = s.replace(REMOVE_CHAR[i],' ');
s = s.trim();
return s;
}
>
> This can probably be abused to get unauthorized access to the MySQL database.
I don't understand how that would work, can you elaborate?
Regards,
~Eric
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
