Glen Ditchfield wrote: > But does that ensure that the right thing will happen if the parameter has a > single quote in it? > > By the way, here is what monotone 0.23 on SuSE 9.2 does in one case: > [~]$ monotone ls certs a:o\'toole > monotone: expanding selection 'a:o'toole' > monotone: error: sqlite error: 1: near "toole": syntax error > monotone: error: make sure database and containing directory are writeable
I do not trust the string mangling done in the selector code! A rewrite to use query parameter would be a good idea. But that's not my cup of tea (trying to port cvssync to rosters) I can confirm that different parts are indead sql injection proof. Christof
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Monotone-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/monotone-devel
