Page MenuHomePhabricator
Create Task
Maniphest T103439

Ex:WikibaseQualityExternalValidation - DumpMetaInformationRepo needs to strictly validate table names
Closed, ResolvedPublic
Actions

Description

Since $dumpMetaTableName and $identifierPropertiesTableName are used in raw queries, with on $db->tableName() called on them, they need to strictly validate that the name is a simple string and does not contain sql. Database::tableName() is not safe for preventing sql injection.

It looks like you can validate that they match /[a-z_]+/.

Related Objects
Search...

Event Timeline

csteipp created this task.Jun 22 2015, 11:26 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added projects: Wikibase-Quality, Wikidata, deprecated-security-team-reviews, Wikibase-Quality-External-Validation.
csteipp added subscribers: JanZerebecki, Jonaskeutel, Tamslo and 5 others.
csteipp added a comment.Jun 22 2015, 11:29 PM

ExternalDataRepo should also validate its $tableName

soeren.oldag subscribed.Jun 23 2015, 9:24 AM

Tables names are no longer injected into the database services, but stored as constants. Is this still necessary?

Please note, that the repository has changed.

csteipp closed this task as Resolved.Jun 24 2015, 12:38 AM
csteipp claimed this task.

Constants are ok

Liuxinyu970226 unsubscribed.Jun 24 2015, 1:01 AM
sbassett moved this task from Incoming to Done on the deprecated-security-team-reviews board.Apr 24 2019, 6:36 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits