[Bug 70510] New: DatabaseSqlite::tableName() function incorrectly implemented

Sun, 07 Sep 2014 01:32:00 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=70510

            Bug ID: 70510
           Summary: DatabaseSqlite::tableName() function incorrectly
                    implemented
           Product: MediaWiki
           Version: 1.24-git
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: Database
          Assignee: [email protected]
          Reporter: [email protected]
       Web browser: ---
   Mobile Platform: ---

The SQLite database back-end fails to quote table names properly.  This is a
possible SQL-injection attack vector, which should be patched ASAP!

From the comment at
https://git.wikimedia.org/blob/mediawiki%2Fcore.git/c55116b808ba938e075d738a91515d2a7ab6b67d/includes%2Fdb%2FDatabaseSqlite.php#L370
(latest commit at time of writing) it looks like when
DatabaseSqlite::tableName() was originally written, the parent class returned
the identifier wrapped in backticks, which would break SQLite, and so these
characters were simply removed (leaving the string unquoted) instead of
replaced with an appropriate equivalent (double-quotes or square brackets both
work).

At some point the parent class was changed so it quotes using double-quotes,
which SQLite is fine with, but instead of removing the function it was simply
updated to remove the double-quote characters instead.

Therefore, currently, if there is a table name such as "invalid table name" it
generates an SQL error in SQLite because the name is unquoted.  More
dangerously, if there is a table name such as "; DROP TABLE text; SELECT * FROM
;" we have a disaster!

Note that I came across this error in my extension, when creating temporary
tables based on article names, but any code which assumes (reasonably) that
tableName() is going to handle identifier quoting for them is potentially very
broken when using SQLite!

The fix, as far as I can see, is simply to remove the function from the child
class.  I would remove it myself, but Gerrit makes it too difficult.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to