Ticket #3663 (new defect)
Opened 12 months ago
Insecure
| Reported by: | dsd | Owned by: | godiard |
|---|---|---|---|
| Priority: | Unspecified by Maintainer | Milestone: | Unspecified by Release Team |
| Component: | Wikipedia | Version: | Unspecified |
| Severity: | Minor | Keywords: | |
| Cc: | Distribution/OS: | Unspecified | |
| Bug Status: | Unconfirmed |
Description
wikiserver commit 6ea1a1c78131 adds some custom string handling. This probably works in the " case but isn't great.
You should properly escape the string passed to the query. See the "# Never do this -- insecure!" example at http://docs.python.org/library/sqlite3.html
Note: See
TracTickets for help on using
tickets.
