https://bugzilla.wikimedia.org/show_bug.cgi?id=35043
Tim Starling <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|High |Normal Group|security | Component|General |Search Version|unspecified |1.20-svn AssignedTo|[email protected] |[email protected]. | |org Product|Security |MediaWiki Summary|PostgreSQL: SQL Injection |PostgreSQL: "syntax error |into search form |in tsquery" when search | |term contains apostrophes Severity|critical |normal --- Comment #5 from Tim Starling <[email protected]> 2012-03-09 04:10:42 UTC --- It's an arbitrary parameter to_tsquery(), not arbitrary SQL, and my reading of the relevant manual section: http://www.postgresql.org/docs/8.4/interactive/datatype-textsearch.html suggests that this is not exploitable. The operations which can be performed are very limited. So I'm changing the component, severity and summary. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
