Actions
Bug #23724
closedUnescape SQL in eventlog filter
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No
Description
In eventlog filter, we don't correctly escape the input from user before doing the SQL query. That doesn't look like being exploitable (backend correclty fault), but db information about the faulty request are returned in the (console) error message. The DB structure is open source, but still, this case must be forbidden by construction, way before we reach that error.
Updated by François ARMAND about 1 year ago
- Status changed from New to In progress
Updated by François ARMAND about 1 year ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Vincent MEMBRÉ
- Pull Request set to https://github.com/Normation/rudder/pull/5166
Updated by Anonymous about 1 year ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|99ec4fe27b2bd2dfbdf6d094598a9b82726198b6.
Updated by Clark ANDRIANASOLO about 1 year ago
- Fix check changed from To do to Checked
Updated by Vincent MEMBRÉ about 1 year ago
This bug has been fixed in Rudder 7.3.10 and 8.0.4 which were released today.
Updated by Vincent MEMBRÉ 9 months ago
- Status changed from Pending release to Released
Actions