[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    Re: KDE/kdebase/runtime/nepomuk/strigibackend
From:       Sebastian =?iso-8859-1?q?Tr=FCg?= <strueg () mandriva ! com>
Date:       2008-06-29 8:29:30
Message-ID: 200806291029.30801.strueg () mandriva ! com
[Download RAW message or body]

On Sunday 29 June 2008 09:53:50 Oswald Buddenhagen wrote:
> On Sat, Jun 28, 2008 at 09:47:59PM +0000, Sebastian Trueg wrote:
> > - properly escape quotes in sparql queries.
> >
> > ---
> > trunk/KDE/kdebase/runtime/nepomuk/strigibackend/sopranoindexreader.cpp
> > #825632:825633 -                    .arg( QString::fromUtf8(
> > parent.c_str() ) ) +                    .arg( QString::fromUtf8(
> > parent.c_str() ).replace( '\"', "\\\"" ) )
>
> and what about backslashes?
> fwiw, you just partially closed an sql injection security hole. i'm not
> sure how much mischief can be done with that, but it sure is worth some
> serious thought.

no, actually, there is no security problem here. This is sparql, not sql, it 
is read-only.
But anyway, you are probably right, and I should escape backslashes, too. 
thanks for the hint.

Cheers,
Sebastian
[prev in list] [next in list] [prev in thread] [next in thread]