Fix sort_by not being filtered in search form#1252
Fix sort_by not being filtered in search form#1252glensc merged 1 commit intoeventum:masterfrom noobpk:fix-timebase-sql
sort_by not being filtered in search form#1252Conversation
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Check the sort_by value in the request with the default table before entering the query. Fix bug Time-Based Blind SQL Injection Disclosure: https://huntr.dev/bounties/668789af-8781-461c-99bb-d159e5a1d877/ Signed-off-by: Elan Ruusamäe <glen@pld-linux.org>
sort_by not being filtered in search form
|
rebased, added changelog myself. enabled auto merge ps: fixed "Disclosure" typo in your commit message. |
|
Damn, the PR is buggy. should have tested it locally. |
|
However, the are you saying the method is not escaping properly? |
|
Also, this fix completely disables searching by custom fields: |
|
And resetting the ORDER BY desc, iss_id DESC |
|
@noobpk where or how did you obtain what to fill as |
|
ok. there's dropdown for sort_by, let's go with that: <label>Sort By<br />
| <select name="sort_by">
| <option value="last_action_date" >Last Action Date</option>
| <option value="pri_rank" >Priority</option>
| <option value="iss_id" >Issue ID</option>
| <option value="sta_rank" >Status</option>
| <option value="iss_summary" >Summary</option>
| </select>
| </label> |
|
New fix: so far the injected SQL is not appearing in the query log. |
ops!! sorry about that. my mistake :(( |
well. the whole thing was untested. see other notes as well. had to re-do the whole fix |
Check sort_by value before query
Check the sort_by value in the request with the default table before entering the query.
Fix bug Time-Based Blind SQL Injection