Hello,
While adapting the resources.get service (need to have the possibility to call it using uuid), I found out a possible way to exploit a SQL injection flaw (in case of having activated the “notify by email” option), because one of the SQL query done in the resources/Download.java file is not “protected”.
Please find attached a patch which aims to fix this issue (untested but inspired from another similar fixes).
Hth,
–
Pierre Mauduit
Camptocamp France SAS
Savoie Technolac, BP 352
73377 Le Bourget du Lac Cedex
Tel : + 33 (0)4 79 44 44 92
http://www.camptocamp.com
pierre.mauduit@anonymised.com189…
(attachments)
Download.java.patch (883 Bytes)
Thanks Pierre. Applied http://trac.osgeo.org/geonetwork/ticket/510.
Francois
2011/5/18 Pierre Mauduit <pierre.mauduit@anonymised.com>:
Hello,
While adapting the resources.get service (need to have the possibility to
call it using uuid), I found out a possible way to exploit a SQL injection
flaw (in case of having activated the "notify by email" option), because one
of the SQL query done in the resources/Download.java file is not
"protected".
Please find attached a patch which aims to fix this issue (untested but
inspired from another similar fixes).
Hth,
--
Pierre Mauduit
Camptocamp France SAS
Savoie Technolac, BP 352
73377 Le Bourget du Lac Cedex
Tel : + 33 (0)4 79 44 44 92
http://www.camptocamp.com
pierre.mauduit@anonymised.com
------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its
next-generation tools to help Windows* and Linux* C/C++ and Fortran
developers boost performance applications - including clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork