Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0009045Openbravo ERPA. Platformpublic2009-04-15 15:412009-05-28 17:11
Reportershuehner 
Assigned Toshuehner 
PriorityurgentSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version2.40 
Target VersionFixed in Version2.40MP5 
Merge Request Status
Review Assigned To
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0009045: SQL injection in selectors
DescriptionThe selector code has issues where it is possible to inject code into the executed SQL statement via crafted parameters coming from the user.
Steps To Reproduce
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
related to backport 0005301 closed shuehner Sorting by more than one column is not working in at least Product Complete & Business Partner Selector 
blocks defect 0008579 closed shuehner SQL injection in selectors 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2009-05-15 10:57shuehnerTypedefect => backport
2009-05-15 10:57shuehnerfix_in_branch => 2.40
2009-05-18 15:26shuehnerRelationship addedrelated to 0005301
2009-05-20 11:40shuehnerNote Added: 0016499
2009-05-21 18:33hgbotCheckin
2009-05-21 18:33hgbotNote Added: 0016565
2009-05-21 18:33hgbotFixed in SCM revision => http://code.openbravo.com/erp/stable/2.40/rev/38f876f4779f9528adc58c2b5e5cced4292e5619 [^]
2009-05-21 18:33hgbotCheckin
2009-05-21 18:33hgbotNote Added: 0016566
2009-05-21 18:33hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/stable/2.40/rev/38f876f4779f9528adc58c2b5e5cced4292e5619 [^] => http://code.openbravo.com/erp/stable/2.40/rev/fa2b7356bd0a6b0fc4787a18f53cd5e4f7062c8d [^]
2009-05-21 18:33hgbotCheckin
2009-05-21 18:33hgbotNote Added: 0016567
2009-05-21 18:33hgbotStatusscheduled => resolved
2009-05-21 18:33hgbotResolutionopen => fixed
2009-05-21 18:33hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/stable/2.40/rev/fa2b7356bd0a6b0fc4787a18f53cd5e4f7062c8d [^] => http://code.openbravo.com/erp/stable/2.40/rev/8ae20e3dd9a79e1b739ab55b7addf61645f5e2a6 [^]
2009-05-28 16:37psarobeStatusresolved => closed
2009-05-28 17:11psarobeFixed in Version => 2.40MP5

Notes
(0016499)
shuehner   
2009-05-20 11:40   
Issue pending for 2.40 branch to reopen.
(0016565)
hgbot   
2009-05-21 18:33   
Repository: erp/stable/2.40
Changeset: 38f876f4779f9528adc58c2b5e5cced4292e5619
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Fri May 15 10:58:17 2009 +0200
URL: http://code.openbravo.com/erp/stable/2.40/rev/38f876f4779f9528adc58c2b5e5cced4292e5619 [^]

Issue 9045: Preparation: reformat affected selectors

---
M src/org/openbravo/erpCommon/info/Account.java
M src/org/openbravo/erpCommon/info/BusinessPartner.java
M src/org/openbravo/erpCommon/info/BusinessPartnerMultiple.java
M src/org/openbravo/erpCommon/info/DebtPayment.java
M src/org/openbravo/erpCommon/info/Invoice.java
M src/org/openbravo/erpCommon/info/InvoiceLine.java
M src/org/openbravo/erpCommon/info/Locator.java
M src/org/openbravo/erpCommon/info/Product.java
M src/org/openbravo/erpCommon/info/ProductComplete.java
M src/org/openbravo/erpCommon/info/ProductMultiple.java
M src/org/openbravo/erpCommon/info/Project.java
M src/org/openbravo/erpCommon/info/SalesOrder.java
M src/org/openbravo/erpCommon/info/SalesOrderLine.java
M src/org/openbravo/erpCommon/info/ShipmentReceipt.java
M src/org/openbravo/erpCommon/info/ShipmentReceiptLine.java
---
(0016566)
hgbot   
2009-05-21 18:33   
Repository: erp/stable/2.40
Changeset: fa2b7356bd0a6b0fc4787a18f53cd5e4f7062c8d
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Fri May 15 12:13:38 2009 +0200
URL: http://code.openbravo.com/erp/stable/2.40/rev/fa2b7356bd0a6b0fc4787a18f53cd5e4f7062c8d [^]

Issue 9045: Validate offset,pageSize to be numeric

---
M src/org/openbravo/erpCommon/info/Account.java
M src/org/openbravo/erpCommon/info/AccountElementValue.java
M src/org/openbravo/erpCommon/info/BusinessPartner.java
M src/org/openbravo/erpCommon/info/BusinessPartnerMultiple.java
M src/org/openbravo/erpCommon/info/DebtPayment.java
M src/org/openbravo/erpCommon/info/Invoice.java
M src/org/openbravo/erpCommon/info/InvoiceLine.java
M src/org/openbravo/erpCommon/info/Locator.java
M src/org/openbravo/erpCommon/info/Product.java
M src/org/openbravo/erpCommon/info/ProductComplete.java
M src/org/openbravo/erpCommon/info/ProductMultiple.java
M src/org/openbravo/erpCommon/info/Project.java
M src/org/openbravo/erpCommon/info/SalesOrder.java
M src/org/openbravo/erpCommon/info/SalesOrderLine.java
M src/org/openbravo/erpCommon/info/ShipmentReceipt.java
M src/org/openbravo/erpCommon/info/ShipmentReceiptLine.java
---
(0016567)
hgbot   
2009-05-21 18:33   
Repository: erp/stable/2.40
Changeset: 8ae20e3dd9a79e1b739ab55b7addf61645f5e2a6
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Mon May 18 15:15:30 2009 +0200
URL: http://code.openbravo.com/erp/stable/2.40/rev/8ae20e3dd9a79e1b739ab55b7addf61645f5e2a6 [^]

Fixed 9045: validate orderBy parameters, prepare ordering by multiple columns

---
M src/org/openbravo/erpCommon/info/Account.java
M src/org/openbravo/erpCommon/info/AccountElementValue.java
M src/org/openbravo/erpCommon/info/BusinessPartner.java
M src/org/openbravo/erpCommon/info/BusinessPartnerMultiple.java
M src/org/openbravo/erpCommon/info/DebtPayment.java
M src/org/openbravo/erpCommon/info/Invoice.java
M src/org/openbravo/erpCommon/info/InvoiceLine.java
M src/org/openbravo/erpCommon/info/Locator.java
M src/org/openbravo/erpCommon/info/Product.java
M src/org/openbravo/erpCommon/info/ProductComplete.java
M src/org/openbravo/erpCommon/info/ProductMultiple.java
M src/org/openbravo/erpCommon/info/Project.java
M src/org/openbravo/erpCommon/info/SalesOrder.java
M src/org/openbravo/erpCommon/info/SalesOrderLine.java
M src/org/openbravo/erpCommon/info/ShipmentReceipt.java
M src/org/openbravo/erpCommon/info/ShipmentReceiptLine.java
A src/org/openbravo/erpCommon/info/SelectorUtility.java
---