[TRUNK-3939] Potential Second Order SQLi in ConceptValidatorChangeSet.isNameUniqueInLocale - OpenMRS Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Non-Essential
Resolution: Won't Fix
Affects Version/s: OpenMRS 1.9.3
Fix Version/s: None
Component/s: None
Labels:

Complexity:
Undetermined
Development:

Description

credit: Timothy D. Morgan

The escapeSqlWildcards method likely only escapes wildcard characters, not ' and the like.

private boolean isNameUniqueInLocale(JdbcConnection connection, ConceptName conceptName, int conceptId) {

  int duplicates = getInt(connection,
    "SELECT count(*) FROM concept_name cn, concept c WHERE cn.concept_id = c.concept_id  AND (cn.concept_name_type = '"
      + ConceptNameType.FULLY_SPECIFIED
      + "' OR cn.locale_preferred = '1') AND cn.voided = '0' AND cn.name = '"
      + HibernateUtil.escapeSqlWildcards(conceptName.getName(), connection.getUnderlyingConnection())
      + "' AND cn.locale = '"
      + HibernateUtil.escapeSqlWildcards(conceptName.getLocale().toString(), connection
        .getUnderlyingConnection()) + "' AND c.retired = '0' AND c.concept_id != " + conceptId);

    return duplicates == 0;
}

Make sure that this code ConceptValidatorChangeSet.isNameUniqueInLocale does not allow SQL injection attacks.

Gliffy Diagrams

Attachments

Activity

People

Assignee:: Grace Potma

Reporter:: Burke Mamlin

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2013-03-21 10:55:31 GMT

Updated:: 2020-11-09 17:58:54 GMT

Resolved:: 2020-11-09 17:58:54 GMT

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified