Bug 42904

Summary: Use sqlite3_mprintf() to avoid SQL injections
Product: colord Reporter: Vincent Untz <vuntz>
Component: daemonAssignee: Richard Hughes <richard>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Use sqlite3_mprintf() with %q
patch2

Description Vincent Untz 2011-11-14 01:54:16 UTC 
To be on the safe side, we should use sqlite3_mprintf() with %q. See http://www.sqlite.org/c3ref/mprintf.html
Comment 1 Vincent Untz 2011-11-14 01:56:10 UTC 
Created attachment 53501 [details] [review]
Use sqlite3_mprintf() with %q

The code builds with the patch, but as I don't really have things setup for color management, the code is untested.
Comment 2 Richard Hughes 2011-11-14 02:09:40 UTC 
Pushed to master, thanks dude.
Comment 3 Ludwig Nussel 2011-11-25 02:43:51 UTC 
the fix incomplete, cd-device-db.c is vulnerable too.
Comment 4 Ludwig Nussel 2011-11-25 02:44:43 UTC 
Created attachment 53844 [details] [review]
patch2
Comment 5 Richard Hughes 2011-11-25 03:31:04 UTC 
Committed, thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.