Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RSS module has SQL injection vulnerability #198

Closed
wants to merge 1 commit into from
Closed

RSS module has SQL injection vulnerability #198

wants to merge 1 commit into from

Conversation

keeakita
Copy link

@keeakita keeakita commented Mar 3, 2013

Not sure if this affects MySQL, but at least using it with SQLite causes it to barf when my RSS feed has a string like this:

foo: "blah blah can't do bleh won't blah."

due to the fact that the raw string was being put in the SQL query. This could allow the controller of a remote RSS feed Willie is watching to to execute arbitrary commands on the database if crafted right, but the more likely concern is just quotes in an RSS feed cause it to throw an error.

@ghost ghost assigned embolalia Mar 3, 2013
@tyrope
Copy link

tyrope commented Mar 3, 2013

Thank you for finding this security risk, @LinuxBrony ! We'll merge your code asap (and with 'we' i mean ' @embolalia '. :P

@embolalia
Copy link
Contributor

This is a bug, but not necessarily a security flaw. execute will only do one SQL command at a time, which prevents any real injection. That said, the "barfing" is absolutely an issue that will need to be fixed. The module will likely be rewritten when the database system is rewritten, but in the meantime something can probably be done the same way the db module does things, by basically substituting in willie.db.substitution for %s with the regular % operator, and then passing the arguments as you do here.

@embolalia
Copy link
Contributor

This is solved by the above, but the module will be rewritten in 4.0.

@embolalia embolalia closed this Mar 4, 2013
embolalia added a commit that referenced this pull request Mar 4, 2013
Closes issue #198 for the time being, but module needs a rewrite for 4.0
maxpowa pushed a commit to maxpowa/Inumuta that referenced this pull request Feb 20, 2015
Closes issue sopel-irc#198 for the time being, but module needs a rewrite for 4.0
@dgw dgw added Bugfix Generally, PRs that reference (and fix) one or more issue(s) and removed Bug Things to squish; generally used for issues labels Jan 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bugfix Generally, PRs that reference (and fix) one or more issue(s) Low Priority
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants