[SYNCOPE-416] AttributableSearchDAOImpl / Avoid query construction with string concatenation - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.1.3, 1.2.0-M1
Fix Version/s: 1.1.4, 1.2.0-M1
Component/s: core
Labels:
None

Description

Is there any reason why in org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419
the like condition is appended by string concatenation?

query.append(" LIKE '").append(cond.getExpression()).append("'");

IMO this could open up a possible SQL injection vulnerability.

In AttributableSearchDAOImpl:387 a query parameter is used, as I would have expected.

Attachments

Activity

People

Assignee:: Francesco Chicchiriccò

Reporter:: Guido Wimmel

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 19/Sep/13 08:02

Updated:: 27/Sep/13 06:01

Resolved:: 19/Sep/13 12:35