Unescaped $_GET data used in query [#1121344]

Just spotted this in the latest dev snapshot and it looks like an oversight -- one of the select queries uses the q parameter without any escaping, making it trivial to trick admins into executing arbitrary queries if you can get them to click on a link to a path with an admin-notes block in use.

Rolling a patch in a moment.

Comment	File	Size	Author
#1	unescaped-query-1121344-2.patch	586 bytes	eaton

Comments

Comment #1

eaton commented 8 April 2011 at 19:12

Status	File	Size
new	unescaped-query-1121344-2.patch	586 bytes

Aaaand here's the patch.

Comment #2

eaton commented 8 April 2011 at 19:12

Status:

Active

» Needs review

Comment #3

aaron commented 8 April 2011 at 20:01

Status:

Needs review

» Fixed

holy s***! thanks for catching that, @eaton. fixed & committed.

Comment #4

eaton commented 8 April 2011 at 21:56

No sweat, I saw that all the other queries were escaping things properly, so I figured it was just a mistake that slipped through. Thanks for the slick module!

Comment #5

22 April 2011 at 22:01

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Unescaped $_GET data used in query

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

News items

Our community

Documentation

Drupal code base

Governance of community