[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: Re: KDE/kdebase/runtime/nepomuk/strigibackend
From: Sebastian =?iso-8859-1?q?Tr=FCg?= <strueg () mandriva ! com>
Date: 2008-06-29 8:29:30
Message-ID: 200806291029.30801.strueg () mandriva ! com
[Download RAW message or body]
On Sunday 29 June 2008 09:53:50 Oswald Buddenhagen wrote:
> On Sat, Jun 28, 2008 at 09:47:59PM +0000, Sebastian Trueg wrote:
> > - properly escape quotes in sparql queries.
> >
> > ---
> > trunk/KDE/kdebase/runtime/nepomuk/strigibackend/sopranoindexreader.cpp
> > #825632:825633 - .arg( QString::fromUtf8(
> > parent.c_str() ) ) + .arg( QString::fromUtf8(
> > parent.c_str() ).replace( '\"', "\\\"" ) )
>
> and what about backslashes?
> fwiw, you just partially closed an sql injection security hole. i'm not
> sure how much mischief can be done with that, but it sure is worth some
> serious thought.
no, actually, there is no security problem here. This is sparql, not sql, it
is read-only.
But anyway, you are probably right, and I should escape backslashes, too.
thanks for the hint.
Cheers,
Sebastian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic