Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0009501
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] Z. Othersmajorhave not tried2009-06-16 16:402009-07-29 00:00
ReportershuehnerView Statuspublic 
Assigned Toshuehner 
PriorityimmediateResolutionfixedFixed in Version2.50MP3
StatusclosedFix in branchFixed in SCM revision358e681ec089
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionpiSCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0009501: Audit all xsql to ensure that all xsql-parameters of type argument/replace are properly validated -part1

DescriptionAll xsql parameters of type argument/replace are potential candidates for injection sql code into the query. The code should be audited to ensure that the parameters' value have been properly validated by the callers.
Tags250MP3releasecandidate
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0009577 closediciordia Audit all xsql to ensure that all xsql-parameters of type argument/replace are properly validated - part2 
depends on feature request 0009500 closedshuehner Add infrastructure to VariablesBase class to allow for technical validation of request parameters 
has duplicate defect 0009145 closedshuehner SQL injection in Report Invoice Discount 
has duplicate defect 0009502 closedshuehner Audit all code reading lists of values from a request to validate the values 
has duplicate defect 0009074 closedshuehner SQL injection in datagrid code 
related to defect 0009578 closedshuehner When doing install.source some warnings appear 

-  Notes
(0017392)
hgbot (developer)
2009-06-17 17:57

 Repository: erp/devel/pi
Changeset: 89943773b3ac9c5738e34b5ce67eddf867b802e4
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Wed Jun 17 17:57:36 2009 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/89943773b3ac9c5738e34b5ce67eddf867b802e4 [^]

Fixed 9501. Add validation of request values for all code reading lists of values

---
M src/org/openbravo/erpCommon/ad_actionButton/CopyFromOrder.java
M src/org/openbravo/erpCommon/ad_actionButton/CreateFrom.java
M src/org/openbravo/erpCommon/ad_actionButton/CreateFromMultiple.java
M src/org/openbravo/erpCommon/ad_forms/DebtPaymentUnapply.java
M src/org/openbravo/erpCommon/ad_forms/GenerateInvoicesmanual.java
M src/org/openbravo/erpCommon/ad_forms/GenerateShipmentsmanual.java
M src/org/openbravo/erpCommon/ad_forms/InitialClientSetup.java
M src/org/openbravo/erpCommon/ad_forms/InitialOrgSetup.java
M src/org/openbravo/erpCommon/ad_forms/MaterialReceiptPending.java
M src/org/openbravo/erpCommon/ad_forms/ModuleManagement.java
M src/org/openbravo/erpCommon/ad_forms/RemittanceCancel.java
M src/org/openbravo/erpCommon/ad_forms/RequisitionToOrder.java
M src/org/openbravo/erpCommon/ad_forms/UpdateReferenceData.java
M src/org/openbravo/erpCommon/ad_process/ChangeOrderOrg.java
M src/org/openbravo/erpCommon/ad_reports/GeneralAccountingReports.java
M src/org/openbravo/erpCommon/ad_reports/GenerateModel347.java
M src/org/openbravo/erpCommon/ad_reports/ReportAccountingCountDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java
M src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
M src/org/openbravo/erpCommon/ad_reports/ReportDebtPayment.java
M src/org/openbravo/erpCommon/ad_reports/ReportDebtPaymentTrack.java
M src/org/openbravo/erpCommon/ad_reports/ReportDimensionalAnalysesPDF.java
M src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedger.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalPDF.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerEdition.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceDiscount.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceDiscountJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceVendorDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportOffer.java
M src/org/openbravo/erpCommon/ad_reports/ReportPricelist.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectBuildingSite.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectBuildingSiteJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectProgress.java
M src/org/openbravo/erpCommon/ad_reports/ReportPurchaseDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundInvoiceCustomerDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalysesPDF.java
M src/org/openbravo/erpCommon/ad_reports/ReportSalesDimensionalAnalyzeJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderDimensionalPDF.java
M src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportTrialBalance.java
M src/org/openbravo/erpCommon/ad_reports/ReportWarehousePartnerJR.java
M src/org/openbravo/erpCommon/businessUtility/PrinterReports.java
M src/org/openbravo/erpCommon/utility/DataGrid.java
M src/org/openbravo/erpCommon/utility/ModelSQLGeneration.java
---
(0017394)
shuehner (administrator)
2009-06-17 18:28

 Re-Opened commit should only be attached here and not resolve the issue, as it only solves first part of the problem.
(0017401)
hgbot (developer)
2009-06-17 19:24

 Repository: erp/devel/pi
Changeset: eb349950d4024c504db5f3041544c6073f2c2eb0
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Wed Jun 17 19:20:41 2009 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/eb349950d4024c504db5f3041544c6073f2c2eb0 [^]

Issue 9501: Filter request parameter for id-list in sorttab-style generated windows
- Example window: WindowsTabsandFields, tab: FieldSequence

---
M src-wad/src/org/openbravo/wad/javasourceSortTab.javaxml
---
(0017417)
hgbot (developer)
2009-06-18 11:20

 Repository: erp/devel/pi
Changeset: 358e681ec08965b0f59a38770f17e1fa804e92d4
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Thu Jun 18 11:20:18 2009 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/358e681ec08965b0f59a38770f17e1fa804e92d4 [^]

Issue 9501: Add validation for request list parameter to one more place.

---
M src/org/openbravo/erpCommon/businessUtility/TabFilter.java
---
(0017511)
shuehner (administrator)
2009-06-22 11:39

 Marking part1 as done to allow QA for MP2. Remaining work is tracked as 9577.

- Issue History
Date Modified Username Field Change
2009-06-16 16:40 shuehner New Issue
2009-06-16 16:40 shuehner Assigned To => shuehner
2009-06-16 16:40 shuehner Relationship added depends on 0009500
2009-06-16 16:40 shuehner Relationship added depends on 0009101
2009-06-16 16:40 shuehner Relationship added depends on 0009145
2009-06-16 16:42 shuehner Relationship added depends on 0009502
2009-06-17 17:57 hgbot Checkin
2009-06-17 17:57 hgbot Note Added: 0017392
2009-06-17 17:57 hgbot Status new => resolved
2009-06-17 17:57 hgbot Resolution open => fixed
2009-06-17 17:57 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/89943773b3ac9c5738e34b5ce67eddf867b802e4 [^]
2009-06-17 18:27 shuehner Relationship deleted depends on 0009502
2009-06-17 18:28 shuehner Relationship added has duplicate 0009502
2009-06-17 18:28 shuehner Status resolved => new
2009-06-17 18:28 shuehner Resolution fixed => open
2009-06-17 18:28 shuehner Note Added: 0017394
2009-06-17 18:30 shuehner Relationship added has duplicate 0009074
2009-06-17 18:31 shuehner Relationship replaced has duplicate 0009145
2009-06-17 19:24 hgbot Checkin
2009-06-17 19:24 hgbot Note Added: 0017401
2009-06-17 19:24 hgbot Fixed in SCM revision http://code.openbravo.com/erp/devel/pi/rev/89943773b3ac9c5738e34b5ce67eddf867b802e4 [^] => http://code.openbravo.com/erp/devel/pi/rev/eb349950d4024c504db5f3041544c6073f2c2eb0 [^]
2009-06-18 11:20 hgbot Checkin
2009-06-18 11:20 hgbot Note Added: 0017417
2009-06-18 11:20 hgbot Fixed in SCM revision http://code.openbravo.com/erp/devel/pi/rev/eb349950d4024c504db5f3041544c6073f2c2eb0 [^] => http://code.openbravo.com/erp/devel/pi/rev/358e681ec08965b0f59a38770f17e1fa804e92d4 [^]
2009-06-22 11:38 shuehner Issue cloned 0009577
2009-06-22 11:38 shuehner Relationship added related to 0009577
2009-06-22 11:38 shuehner Status new => scheduled
2009-06-22 11:38 shuehner Summary Audit all xsql to ensure that all xsql-parameters of type argument/replace are properly validated => Audit all xsql to ensure that all xsql-parameters of type argument/replace are properly validated -part1
2009-06-22 11:39 shuehner Status scheduled => resolved
2009-06-22 11:39 shuehner Resolution open => fixed
2009-06-22 11:39 shuehner Note Added: 0017511
2009-06-22 11:57 shuehner Relationship added related to 0009578
2009-06-22 12:06 psarobe Fixed in Version => main
2009-07-21 16:24 psarobe Fixed in Version main => 2.50MP3
2009-07-21 16:26 psarobe Tag Attached: 250MP3releasecandidate
2009-07-28 13:07 psarobe Status resolved => closed
2009-07-29 00:00 anonymous sf_bug_id 0 => 2828653

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker