python-sql

Bug 70

classification
Title: Handing of quoted name for Table and Column could result in SQL Injection
Type: security Severity: urgent
Components: Versions:
process
Status: Resolution:
Dependencies: Superseder:
Assigned To: nicoe Nosy List: nicoe
Priority: normal Keywords:

Created on 2021-04-02 16:04 by nicoe, last changed 2021-04-02 16:04 by nicoe.

Messages
msg122 Author: [hidden] (nicoe) Date: 2021-04-02 16:04
Since python-sql does not double the quotes in Table and Column names it could result in SQL injection if people somehow expose the table names to the exterior.

Here's a review for this issue: https://codereview.tryton.org/357651003
History
Date User Action Args
2021-04-02 16:04:26nicoecreate