Opened 11 years ago
Closed 11 years ago
#1225 closed defect (fixed)
TableExport service is prone to SQL injection and allows export any GeoNetwork table
| Reported by: | josegar74 | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | v2.8.0 |
| Component: | General | Version: | v2.8.0RC2 |
| Keywords: | Cc: |
Description
This service is allowed only to Administrators and used to export these tables in statistics module:
- Requests table
- Parameters table
But the service doesn't check the table provided in user request, so can export any database table, what seems unacceptable.
A fix is being developed, to allow configure which tables can be exported and check the user request to allow only allowed tables.
Note:
See TracTickets
for help on using tickets.
Committed in 2.8.x: 54bea3dcc89e09d0a8e7ccf7941db3432779fc88 Committed in master: 514f011098e1f0ab3a8857df8df849fb5e265ed7