Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0009501Openbravo ERPZ. Otherspublic2009-06-16 16:402009-07-29 00:00
Reportershuehner 
Assigned Toshuehner 
PriorityimmediateSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Versionpi 
Target VersionFixed in Version2.50MP3 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0009501: Audit all xsql to ensure that all xsql-parameters of type argument/replace are properly validated -part1
DescriptionAll xsql parameters of type argument/replace are potential candidates for injection sql code into the query. The code should be audited to ensure that the parameters' value have been properly validated by the callers.
Steps To Reproduce
Proposed Solution
Additional Information
Tags250MP3releasecandidate
Relationships
related to defect 0009577 closed iciordia Audit all xsql to ensure that all xsql-parameters of type argument/replace are properly validated - part2 
depends on feature request 0009500 closed shuehner Add infrastructure to VariablesBase class to allow for technical validation of request parameters 
has duplicate defect 0009145 closed shuehner SQL injection in Report Invoice Discount 
has duplicate defect 0009502 closed shuehner Audit all code reading lists of values from a request to validate the values 
has duplicate defect 0009074 closed shuehner SQL injection in datagrid code 
related to defect 0009578 closed shuehner When doing install.source some warnings appear 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2009-06-16 16:40shuehnerNew Issue
2009-06-16 16:40shuehnerAssigned To => shuehner
2009-06-16 16:40shuehnerRelationship addeddepends on 0009500
2009-06-16 16:40shuehnerRelationship addeddepends on 0009101
2009-06-16 16:40shuehnerRelationship addeddepends on 0009145
2009-06-16 16:42shuehnerRelationship addeddepends on 0009502
2009-06-17 17:57hgbotCheckin
2009-06-17 17:57hgbotNote Added: 0017392
2009-06-17 17:57hgbotStatusnew => resolved
2009-06-17 17:57hgbotResolutionopen => fixed
2009-06-17 17:57hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/89943773b3ac9c5738e34b5ce67eddf867b802e4 [^]
2009-06-17 18:27shuehnerRelationship deleteddepends on 0009502
2009-06-17 18:28shuehnerRelationship addedhas duplicate 0009502
2009-06-17 18:28shuehnerStatusresolved => new
2009-06-17 18:28shuehnerResolutionfixed => open
2009-06-17 18:28shuehnerNote Added: 0017394
2009-06-17 18:30shuehnerRelationship addedhas duplicate 0009074
2009-06-17 18:31shuehnerRelationship replacedhas duplicate 0009145
2009-06-17 19:24hgbotCheckin
2009-06-17 19:24hgbotNote Added: 0017401
2009-06-17 19:24hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/devel/pi/rev/89943773b3ac9c5738e34b5ce67eddf867b802e4 [^] => http://code.openbravo.com/erp/devel/pi/rev/eb349950d4024c504db5f3041544c6073f2c2eb0 [^]
2009-06-18 11:20hgbotCheckin
2009-06-18 11:20hgbotNote Added: 0017417
2009-06-18 11:20hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/devel/pi/rev/eb349950d4024c504db5f3041544c6073f2c2eb0 [^] => http://code.openbravo.com/erp/devel/pi/rev/358e681ec08965b0f59a38770f17e1fa804e92d4 [^]
2009-06-22 11:38shuehnerIssue cloned0009577
2009-06-22 11:38shuehnerRelationship addedrelated to 0009577
2009-06-22 11:38shuehnerStatusnew => scheduled
2009-06-22 11:38shuehnerSummaryAudit all xsql to ensure that all xsql-parameters of type argument/replace are properly validated => Audit all xsql to ensure that all xsql-parameters of type argument/replace are properly validated -part1
2009-06-22 11:39shuehnerStatusscheduled => resolved
2009-06-22 11:39shuehnerResolutionopen => fixed
2009-06-22 11:39shuehnerNote Added: 0017511
2009-06-22 11:57shuehnerRelationship addedrelated to 0009578
2009-06-22 12:06psarobeFixed in Version => main
2009-07-21 16:24psarobeFixed in Versionmain => 2.50MP3
2009-07-21 16:26psarobeTag Attached: 250MP3releasecandidate
2009-07-28 13:07psarobeStatusresolved => closed
2009-07-29 00:00anonymoussf_bug_id0 => 2828653

Notes
(0017392)
hgbot   
2009-06-17 17:57   
Repository: erp/devel/pi
Changeset: 89943773b3ac9c5738e34b5ce67eddf867b802e4
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Wed Jun 17 17:57:36 2009 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/89943773b3ac9c5738e34b5ce67eddf867b802e4 [^]

Fixed 9501. Add validation of request values for all code reading lists of values

---
M src/org/openbravo/erpCommon/ad_actionButton/CopyFromOrder.java
M src/org/openbravo/erpCommon/ad_actionButton/CreateFrom.java
M src/org/openbravo/erpCommon/ad_actionButton/CreateFromMultiple.java
M src/org/openbravo/erpCommon/ad_forms/DebtPaymentUnapply.java
M src/org/openbravo/erpCommon/ad_forms/GenerateInvoicesmanual.java
M src/org/openbravo/erpCommon/ad_forms/GenerateShipmentsmanual.java
M src/org/openbravo/erpCommon/ad_forms/InitialClientSetup.java
M src/org/openbravo/erpCommon/ad_forms/InitialOrgSetup.java
M src/org/openbravo/erpCommon/ad_forms/MaterialReceiptPending.java
M src/org/openbravo/erpCommon/ad_forms/ModuleManagement.java
M src/org/openbravo/erpCommon/ad_forms/RemittanceCancel.java
M src/org/openbravo/erpCommon/ad_forms/RequisitionToOrder.java
M src/org/openbravo/erpCommon/ad_forms/UpdateReferenceData.java
M src/org/openbravo/erpCommon/ad_process/ChangeOrderOrg.java
M src/org/openbravo/erpCommon/ad_reports/GeneralAccountingReports.java
M src/org/openbravo/erpCommon/ad_reports/GenerateModel347.java
M src/org/openbravo/erpCommon/ad_reports/ReportAccountingCountDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java
M src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
M src/org/openbravo/erpCommon/ad_reports/ReportDebtPayment.java
M src/org/openbravo/erpCommon/ad_reports/ReportDebtPaymentTrack.java
M src/org/openbravo/erpCommon/ad_reports/ReportDimensionalAnalysesPDF.java
M src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedger.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalPDF.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerEdition.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceDiscount.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceDiscountJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceVendorDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportOffer.java
M src/org/openbravo/erpCommon/ad_reports/ReportPricelist.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectBuildingSite.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectBuildingSiteJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectProgress.java
M src/org/openbravo/erpCommon/ad_reports/ReportPurchaseDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundInvoiceCustomerDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalysesPDF.java
M src/org/openbravo/erpCommon/ad_reports/ReportSalesDimensionalAnalyzeJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderDimensionalPDF.java
M src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportTrialBalance.java
M src/org/openbravo/erpCommon/ad_reports/ReportWarehousePartnerJR.java
M src/org/openbravo/erpCommon/businessUtility/PrinterReports.java
M src/org/openbravo/erpCommon/utility/DataGrid.java
M src/org/openbravo/erpCommon/utility/ModelSQLGeneration.java
---
(0017394)
shuehner   
2009-06-17 18:28   
Re-Opened commit should only be attached here and not resolve the issue, as it only solves first part of the problem.
(0017401)
hgbot   
2009-06-17 19:24   
Repository: erp/devel/pi
Changeset: eb349950d4024c504db5f3041544c6073f2c2eb0
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Wed Jun 17 19:20:41 2009 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/eb349950d4024c504db5f3041544c6073f2c2eb0 [^]

Issue 9501: Filter request parameter for id-list in sorttab-style generated windows
- Example window: WindowsTabsandFields, tab: FieldSequence

---
M src-wad/src/org/openbravo/wad/javasourceSortTab.javaxml
---
(0017417)
hgbot   
2009-06-18 11:20   
Repository: erp/devel/pi
Changeset: 358e681ec08965b0f59a38770f17e1fa804e92d4
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Thu Jun 18 11:20:18 2009 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/358e681ec08965b0f59a38770f17e1fa804e92d4 [^]

Issue 9501: Add validation for request list parameter to one more place.

---
M src/org/openbravo/erpCommon/businessUtility/TabFilter.java
---
(0017511)
shuehner   
2009-06-22 11:39   
Marking part1 as done to allow QA for MP2. Remaining work is tracked as 9577.