-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape data before using them in SQL #289
Conversation
This commit fixes a couple of possible SQLi errors. Fixes #286
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know which bugs are supposed to be fixed here. Do you have any test cases for me to try?
@michael-e see #286 when Nils is searching for a user |
Try to add some |
Even without your fix, using plain Symphony 2.6.11 and Members 1.6.0, I added I don't think that I understand all the issues well enough to do systematic testing here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’m currently not using the members extension in any relevant project and don’t understand the code well enough to do a proper review and testing, sorry.
No problems Jens thanks. |
@michael-e Nils also had problems with publish filtering I think. Nevertheless, the code needs those fixes. |
Just to make sure everybody's on the same page: When I go in the members section, I filter by username with The user does not see the end result, but can still do things like Same thing happens with a datasource filtered by username usign |
If @nilshoerrmann could confirm that it fixes his problems, that would be cool ;) |
I sadly won't have time this week to look into this. Feel free to ping me again next week. |
@nitriques Thanks for the the explanation. It sounds like a severe issue to me, because it is not limited to backend users. We should release a hotfix version soon. |
Thanks @nilshoerrmann
It is! I've warned everybody last June but never got the chance to actually patch it :( |
Version |
This commit fixes a couple of possible SQLi errors.
Fixes #286