Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.The Drupal Security team received the following report from Angie Byron. Since it is not exploitable, it can be fixed publicly.
I believe that the "Google News sitemap generator" module (http://drupal.org/project/googlenews) contains a possible SQL injection.
Relevant section of function _googlenews_getgooglenews():
---
// Build categories. If 'all' is set, this overrides all other selections.$cats = variable_get('googlenews_category', array());
$ctypes='';
if (!isset($cats['_gnall'])) {
foreach ($cats as $key => $value) {
if ($ctypes!='') {
$ctypes.=",'".$key."'";
}
else
{
$ctypes.="'".$key."'";
}
}
}if ($ctypes!='') {
$sql = "select n.nid,created from {node} n where status=1 and type in (".$ctypes.") and from_unixtime(created) >= date_sub(curdate(),interval 3 day) order by created desc";
}
---
$ctypes is directly embedded in the SQL string, and is not santized first as recommended in the "Writing secure code" document at http://drupal.org/writing-secure-code.Problem is present in both the 5.x and 6.x versions of the module.
Please read http://drupal.org/writing-secure-code to learn how to use the database abstraction layer to avoid SQL injection attacks.
Comments
Comment #1
dave reidFixed in http://drupal.org/cvs?commit=242490. Thanks! Will backport recent changes to D5 when I can.
Comment #2
dave reidBackported to D5 as well. No more security issues. :)