Ticket #125 (closed defect: fixed)

Opened 6 years ago

Last modified 5 years ago

Escape user data in iTQL queries (security issue)

Reported by: ronald Assigned to: ronald
Priority: high Milestone:
Component: topaz Version: 0.5-SNAPSHOT
Keywords: Cc:
Blocking: Blocked By:

Description

Switch all code to call ItqlHelper.escapeLiteral() on all user-supplied literal values inserted into iTQL queries. Addionally, user-supplied URI's should be checked via ItqlHelper.validateUri().

While this is being done, it might be a good idea to also use ItqlHelper.bindValues() instead of String.replaceAll(...).

Dependency Graph

Change History

10/20/06 17:01:44 changed by ebrown

  • priority changed from unassigned to high.
  • milestone changed from TBD to november6.

10/20/06 17:37:21 changed by ebrown

  • owner changed from somebody to ronald.

11/01/06 02:11:24 changed by ronald

  • status changed from new to closed.
  • resolution set to fixed.

(In [912]) Closes #125:

  • security audit for proper validation and escaping of all externally supplied inputs to avoid iTQL injection attacks.
  • Make sure all literals in iTQL statements are always properly escaped
  • Use ItqlHelper?.bindValues() instead of String.replaceAll() when building iTQL statements.

10/29/07 21:12:54 changed by

  • milestone deleted.

Milestone november6 deleted