[TRUNK-3939] Potential Second Order SQLi in ConceptValidatorChangeSet.isNameUniqueInLocale - OpenMRS Issues

XML

Word

Printable

Details

Type: Bug
Status: Design
Priority: Non-Essential
Resolution: Unresolved
Affects Version/s: OpenMRS 1.9.3
Fix Version/s: None
Component/s: None
Labels:
- flosshack-201301
- security

Complexity:
Undetermined

Description

credit: Timothy D. Morgan

The escapeSqlWildcards method likely only escapes wildcard characters, not ' and the like.

private boolean isNameUniqueInLocale(JdbcConnection connection, ConceptName conceptName, int conceptId) {

  int duplicates = getInt(connection,
    "SELECT count(*) FROM concept_name cn, concept c WHERE cn.concept_id = c.concept_id  AND (cn.concept_name_type = '"
      + ConceptNameType.FULLY_SPECIFIED
      + "' OR cn.locale_preferred = '1') AND cn.voided = '0' AND cn.name = '"
      + HibernateUtil.escapeSqlWildcards(conceptName.getName(), connection.getUnderlyingConnection())
      + "' AND cn.locale = '"
      + HibernateUtil.escapeSqlWildcards(conceptName.getLocale().toString(), connection
        .getUnderlyingConnection()) + "' AND c.retired = '0' AND c.concept_id != " + conceptId);

    return duplicates == 0;
}

Make sure that this code ConceptValidatorChangeSet.isNameUniqueInLocale does not allow SQL injection attacks.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Burke Mamlin

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2013-03-21 10:55:31 GMT

Updated:: 2013-11-10 09:00:44 GMT

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified