oops on $team/+reassign page when entering "%"
Bug #413287 reported by
Edwin Grubbs
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
This is not a security vulnerability since arbitrary sql can't be injected. The '%' is just not escaped, so psycopg's variable substitution blows up.
The ValidPersonOrTe
For example:
SQL('SELECT name FROM person WHERE id = ? AND displayname = ?', (33, 'foo'))
This should also eliminate the need to use quote() and quote_like() on the parameters.
OOPS-1321S1050
Related branches
lp:~sinzui/launchpad/vocab-storm-bug-413287
- Eleanor Berger (community): Approve
-
Diff: 95 lines (+35/-16)2 files modifiedlib/lp/registry/doc/vocabularies.txt (+23/-2)
lib/lp/registry/vocabularies.py (+12/-14)
| Changed in launchpad-registry: | |
| importance: | Undecided → Low |
| status: | New → Triaged |
| Changed in launchpad-registry: | |
| milestone: | none → 3.1.11 |
| Changed in launchpad-registry: | |
| assignee: | nobody → Curtis Hovey (sinzui) |
| status: | Triaged → In Progress |
Revision history for this message
| Curtis Hovey (sinzui) wrote | #1 |
| Changed in launchpad-registry: | |
| status: | In Progress → Fix Committed |
Revision history for this message
| Curtis Hovey (sinzui) wrote Bug 413287 Fix released | #2 |
| Changed in launchpad-registry: | |
| status: | Fix Committed → Fix Released |
| Changed in launchpad: | |
| assignee: | Curtis Hovey (sinzui) → nobody |
To post a comment you must log in.
Fixed in launchpad devel r9933.