This project is archived and is in readonly mode.

#964 ✓resolved
Jon Leighton

Fix for SQL injection on :limit and :offset should be backported

Reported by Jon Leighton | September 3rd, 2008 @ 03:51 PM | in 2.0.3

The fix in #288 is a serious security vulnerability and should be backported to all stable branches.

Comments and changes to this ticket

  • August Lilleaas
  • Smeevil
  • Jon Leighton

    Jon Leighton September 3rd, 2008 @ 04:08 PM

    More info about the problem on this blog post:

    The facts we have:

    • The problem is fixed in the abstract adapter for 2.1.0
    • The problem is not fixed for the 2.0 or 1.2 branches
    • The problem is not fixed for the mysql adapter for 2.1.0, but will be fixed when 2.1.1 is released. This is not such a huge issue as mysql stops more than one query being sent at once

    So basically it's not a huge issue that the mysql adapter fix hasn't been released for the 2.1 branch, but no fix at all has been released for the other branches and so they are both vulnerable.

  • Jeremy Kemper

    Jeremy Kemper September 3rd, 2008 @ 10:22 PM

    • State changed from “new” to “open”
    • Assigned user set to “Jeremy Kemper”
    • Milestone changed from 2.x to 2.0.3

    We surveyed folks a while back. Pretty much nobody is affected by this. I agree it's backport-worthy, but it's not a crisis.

    Care to backport it?

  • Jon Leighton

    Jon Leighton September 4th, 2008 @ 07:41 AM

    What's the criteria for a security issue being considered a "priority"? I run with postgres on the 2.0 branch, which means my application would be vulnerable if we were using user-specified offset/limit. Granted a very small number of people run postgres/sqlite compared to mysql, and presumably a smaller number still allow the user to specify limit/offset, but it seems this could affect somebody, and would be quite serious for them if they were targeted.

    Anyway, I'd be happy to backport it, will report back with a patch.

  • Jon Leighton
  • Frederick Cheung

    Frederick Cheung December 12th, 2008 @ 02:01 PM

    • Tag changed from 2.0-stable, activerecord, bug to 2.0-stable, activerecord, bug, patch, tested
    • State changed from “open” to “resolved”

    This was part of 2.0.5 commit

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>