42904 – Use sqlite3_mprintf() to avoid SQL injections

Bug 42904 - Use sqlite3_mprintf() to avoid SQL injections

Summary: Use sqlite3_mprintf() to avoid SQL injections

Status:	RESOLVED FIXED

Alias:	None

Product:	colord
Classification:	Unclassified
Component:	daemon (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	Richard Hughes
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-11-14 01:54 UTC by Vincent Untz
Modified:	2011-11-25 03:31 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Use sqlite3_mprintf() with %q (4.49 KB, patch) 2011-11-14 01:56 UTC, Vincent Untz	Details \| Splinter Review
patch2 (4.71 KB, patch) 2011-11-25 02:44 UTC, Ludwig Nussel	Details \| Splinter Review
View All

Description Vincent Untz 2011-11-14 01:54:16 UTC

To be on the safe side, we should use sqlite3_mprintf() with %q. See http://www.sqlite.org/c3ref/mprintf.html

Comment 1 Vincent Untz 2011-11-14 01:56:10 UTC

Created attachment 53501 [details] [review]
Use sqlite3_mprintf() with %q

The code builds with the patch, but as I don't really have things setup for color management, the code is untested.

Comment 2 Richard Hughes 2011-11-14 02:09:40 UTC

Pushed to master, thanks dude.

Comment 3 Ludwig Nussel 2011-11-25 02:43:51 UTC

the fix incomplete, cd-device-db.c is vulnerable too.

Comment 4 Ludwig Nussel 2011-11-25 02:44:43 UTC

Created attachment 53844 [details] [review]
patch2

Comment 5 Richard Hughes 2011-11-25 03:31:04 UTC

Committed, thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.