Bug 42904 - Use sqlite3_mprintf() to avoid SQL injections
Use sqlite3_mprintf() to avoid SQL injections
Product: colord
Classification: Unclassified
Component: daemon
Other All
: medium normal
Assigned To: Richard Hughes
Depends on:
  Show dependency treegraph
Reported: 2011-11-14 01:54 UTC by Vincent Untz
Modified: 2011-11-25 03:31 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Use sqlite3_mprintf() with %q (4.49 KB, patch)
2011-11-14 01:56 UTC, Vincent Untz
Details | Splinter Review
patch2 (4.71 KB, patch)
2011-11-25 02:44 UTC, Ludwig Nussel
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Untz 2011-11-14 01:54:16 UTC
To be on the safe side, we should use sqlite3_mprintf() with %q. See http://www.sqlite.org/c3ref/mprintf.html
Comment 1 Vincent Untz 2011-11-14 01:56:10 UTC
Created attachment 53501 [details] [review]
Use sqlite3_mprintf() with %q

The code builds with the patch, but as I don't really have things setup for color management, the code is untested.
Comment 2 Richard Hughes 2011-11-14 02:09:40 UTC
Pushed to master, thanks dude.
Comment 3 Ludwig Nussel 2011-11-25 02:43:51 UTC
the fix incomplete, cd-device-db.c is vulnerable too.
Comment 4 Ludwig Nussel 2011-11-25 02:44:43 UTC
Created attachment 53844 [details] [review]
Comment 5 Richard Hughes 2011-11-25 03:31:04 UTC
Committed, thanks.