User "Awjrichards" posted a comment on Wikimedia.r205. Full URL: http://www.mediawiki.org/wiki/Special:Code/Wikimedia/205#c18922 Commit summary:
moving the contents of http://svn.wikimedia.org/viewvc/mediawiki/trunk/fundraiser-statistics/fundraiser-scripts/ for fundraiser analytics and reporting to the wikimedia repository Comment: You've already caught this in a 'Fixme' note, but this should be fixed before this ready for production: /trunk/fundraiser-analysis/classes/DataLoader.py line 432 - potential for divide by 0 I'm forgetting where, exactly This may or may not actually be a problem, but in run_query() on line 544 of DataLoader, it looks like there's the possibility for executing arbitrary sql files (line 561). This is probably not that big of a deal, but it's possible that directory traversal could be somehow exploited here to execute undesirable sql files. Perhaps this is guarded against wherever this class gets used or is otherwise a non-issue depending on implementation, but wanted to raise this as a potential issue. Are the db queries in DataLoader.py TestTableLoader, SquidLogTableLoader, ImpressionTableLoader, LandingPageTableLoader safe from potential SQL injection? Tough for me to tell from the code - but you may need to escape variable data going into those queries. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
