Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0008579
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformmajorhave not tried2009-04-15 15:412009-06-04 00:00
ReportershuehnerView Statuspublic 
Assigned Toshuehner 
PriorityurgentResolutionfixedFixed in Version
StatusclosedFix in branchpiFixed in SCM revision68ba24ee1a88
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product Version2.40SCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0008579: SQL injection in selectors

DescriptionThe selector code has issues where it is possible to inject code into the executed SQL statement via crafted parameters coming from the user.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
depends on backport 0009045 closedshuehner SQL injection in selectors 
related to defect 0005236 closedshuehner Sorting by more than one column is not working in at least Product Complete & Business Partner Selector 
related to defect 0009074 closedshuehner SQL injection in datagrid code 

-  Notes
(0016309)
shuehner (administrator)
2009-05-13 09:02

Updated to urgent as discussed with iciordia
(0016381)
hgbot (developer)
2009-05-15 12:13

Repository: erp/devel/pi
Changeset: d4fedb1b06c242856f0ae288fd2972f43c04eced
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Fri May 15 12:13:10 2009 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/d4fedb1b06c242856f0ae288fd2972f43c04eced [^]

Issue 8579: Validate offset,pageSize to the numeric

---
M src/org/openbravo/erpCommon/info/Account.java
M src/org/openbravo/erpCommon/info/AccountElementValue.java
M src/org/openbravo/erpCommon/info/BusinessPartner.java
M src/org/openbravo/erpCommon/info/BusinessPartnerMultiple.java
M src/org/openbravo/erpCommon/info/DebtPayment.java
M src/org/openbravo/erpCommon/info/Invoice.java
M src/org/openbravo/erpCommon/info/InvoiceLine.java
M src/org/openbravo/erpCommon/info/Locator.java
M src/org/openbravo/erpCommon/info/Product.java
M src/org/openbravo/erpCommon/info/ProductComplete.java
M src/org/openbravo/erpCommon/info/ProductMultiple.java
M src/org/openbravo/erpCommon/info/Project.java
M src/org/openbravo/erpCommon/info/SalesOrder.java
M src/org/openbravo/erpCommon/info/SalesOrderLine.java
M src/org/openbravo/erpCommon/info/ShipmentReceipt.java
M src/org/openbravo/erpCommon/info/ShipmentReceiptLine.java
---
(0016425)
hgbot (developer)
2009-05-18 15:16

Repository: erp/devel/pi
Changeset: 68ba24ee1a88f95d7c2727454331f052809d9468
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Mon May 18 15:16:36 2009 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/68ba24ee1a88f95d7c2727454331f052809d9468 [^]

Fixed 8579: validate orderBy parameters, prepare ordering by multiple columns

---
M src/org/openbravo/erpCommon/info/Account.java
M src/org/openbravo/erpCommon/info/AccountElementValue.java
M src/org/openbravo/erpCommon/info/BusinessPartner.java
M src/org/openbravo/erpCommon/info/BusinessPartnerMultiple.java
M src/org/openbravo/erpCommon/info/DebtPayment.java
M src/org/openbravo/erpCommon/info/Invoice.java
M src/org/openbravo/erpCommon/info/InvoiceLine.java
M src/org/openbravo/erpCommon/info/Locator.java
M src/org/openbravo/erpCommon/info/Product.java
M src/org/openbravo/erpCommon/info/ProductComplete.java
M src/org/openbravo/erpCommon/info/ProductMultiple.java
M src/org/openbravo/erpCommon/info/Project.java
M src/org/openbravo/erpCommon/info/SalesOrder.java
M src/org/openbravo/erpCommon/info/SalesOrderLine.java
M src/org/openbravo/erpCommon/info/ShipmentReceipt.java
M src/org/openbravo/erpCommon/info/ShipmentReceiptLine.java
A src/org/openbravo/erpCommon/info/SelectorUtility.java
---

- Issue History
Date Modified Username Field Change
2009-04-15 15:41 shuehner New Issue
2009-04-15 15:41 shuehner Assigned To => rafaroda
2009-04-15 15:41 shuehner Regression testing => No
2009-04-15 15:41 shuehner Assigned To rafaroda => shuehner
2009-04-22 20:04 psarobe Status new => scheduled
2009-04-22 20:04 psarobe fix_in_branch => pi
2009-05-13 09:02 shuehner Note Added: 0016309
2009-05-13 09:02 shuehner Priority normal => urgent
2009-05-13 09:02 shuehner fix_in_branch pi =>
2009-05-15 10:57 shuehner Status scheduled => acknowledged
2009-05-15 10:57 shuehner Status acknowledged => scheduled
2009-05-15 10:57 shuehner fix_in_branch => pi
2009-05-15 12:13 hgbot Checkin
2009-05-15 12:13 hgbot Note Added: 0016381
2009-05-15 12:13 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/d4fedb1b06c242856f0ae288fd2972f43c04eced [^]
2009-05-18 15:16 hgbot Checkin
2009-05-18 15:16 hgbot Note Added: 0016425
2009-05-18 15:16 hgbot Status scheduled => resolved
2009-05-18 15:16 hgbot Resolution open => fixed
2009-05-18 15:16 hgbot Fixed in SCM revision http://code.openbravo.com/erp/devel/pi/rev/d4fedb1b06c242856f0ae288fd2972f43c04eced [^] => http://code.openbravo.com/erp/devel/pi/rev/68ba24ee1a88f95d7c2727454331f052809d9468 [^]
2009-05-18 15:24 shuehner Relationship added related to 0005236
2009-05-18 15:34 shuehner Relationship added related to 0009074
2009-06-03 12:00 psarobe Status resolved => closed
2009-06-04 00:00 anonymous sf_bug_id 0 => 2800770


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker