-
-
Notifications
You must be signed in to change notification settings - Fork 315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue in resource-controller #176
Comments
Thanks for reporting this, but could you please not publish any security issues before it's fixed! See how rails handles this: |
Yes, you're right, sorry. Wasn't aware of this as it seemed to be not so critical. Next time via email. You wrote about the arel_table yesterday. Do you now a way to push conditions to where_values? This would make it very easy to chain the conditions up. |
Ok, quite difficult. I had something more elegant in mind but for now it should be safe to just sanitize the parameter:
|
Ok, I just created a security@alchemy-cms.com e-mail address |
I know: It should only be accessible by authorized users... Nontheless:
This line is vulnerable regarding to (i.e.):
http://stackoverflow.com/questions/2962263/rails-sql-injection
Solutions are a bit complicated. Maybe it's better to build every condition on its own and chain them together afterwards. I'll try to figure out a nice piece of code for that.
The text was updated successfully, but these errors were encountered: