-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix #15898 - escape tbl_storage_engine argument #18253
base: QA_4_9
Are you sure you want to change the base?
Conversation
Signed-off-by: William Desportes <williamdes@wdes.fr> (cherry picked from commit ca42395)
This doesn't look like a correct fix. The ENGINE value is not a string literal and should not be quoted. The value should be validated against a list of known ENGINE types. The use of |
I am closing this one since no non security fix will enter 4.9 |
Can you make a PR to fix this in 5.2 ? |
Hi @williamdes ! Thank you for the quick reply! Version 4.9 is still in use, and an SQL injection seems like a critical security vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2020-22452 |
On a quick look at the history of that other issue, it appears to me like we meant to target 4.9.x with the fix as well, but because it was handled outside of our usual security process I may have missed backporting it when performing the release. Good catch by @izsob. I'll have to dig more in the commit history; I'm on mobile right now and it isn't easy to see all that information on one screen. If that's true, we should fix this for QA_4_9, but we should also make sure the fix that's already in 5.x was correct. I agree with Kamil about the escaping here and appreciate the input. |
I made a PR to backport it to 5.2. I don't mind it if you want to merge it into 4.9 too, but I don't really see any reason for it. While this is SQL injection, the nature of PMA is that it's a tool that allows users to execute arbitrary SQL statements. SQL injection would only be a problem if it allowed gaining elevated privileges, which this bug doesn't. |
I have re-open this PR Maybe you should try to adapt #18255 for 4.9 rather than the "wrong" fix I made ? |
Ref: https://security-tracker.debian.org/tracker/CVE-2020-22452 Introduced by 4d98851 /cc @carnil please read #15898 (comment) |
Signed-off-by: William Desportes williamdes@wdes.fr
(cherry picked from commit ca42395)
Description
The SQL injection was discovered and fixed a long time ago. Can you include the fix in a subsequent 4.9 release? I just cherry-picked the fixing commit, and I think the original plan was to include it in the 4.9 branch, if applicable (#15898).