#964 Fix for SQL injection on :limit and :offset should be backported - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#964 ✓resolved

Fix for SQL injection on :limit and :offset should be backported

Reported by Jon Leighton | September 3rd, 2008 @ 03:51 PM | in 2.0.3

The fix in #288 is a serious security vulnerability and should be backported to all stable branches.

Comments and changes to this ticket

You flagged this item as spam.
August Lilleaas September 3rd, 2008 @ 03:54 PM
+1 from me for you!
You flagged this item as spam.
Smeevil September 3rd, 2008 @ 03:58 PM
+1 , nasty
Jon Leighton September 3rd, 2008 @ 04:08 PM
More info about the problem on this blog post: http://blog.innerewut.de/2008/6/...

The facts we have:
- The problem is fixed in the abstract adapter for 2.1.0
- The problem is not fixed for the 2.0 or 1.2 branches
- The problem is not fixed for the mysql adapter for 2.1.0, but will be fixed when 2.1.1 is released. This is not such a huge issue as mysql stops more than one query being sent at once
So basically it's not a huge issue that the mysql adapter fix hasn't been released for the 2.1 branch, but no fix at all has been released for the other branches and so they are both vulnerable.
Jeremy Kemper September 3rd, 2008 @ 10:22 PM
- State changed from “new” to “open”
- Assigned user set to “Jeremy Kemper”
- Milestone changed from “2.x” to “2.0.3”
We surveyed folks a while back. Pretty much nobody is affected by this. I agree it's backport-worthy, but it's not a crisis.

Care to backport it?
Jon Leighton September 4th, 2008 @ 07:41 AM
What's the criteria for a security issue being considered a "priority"? I run with postgres on the 2.0 branch, which means my application would be vulnerable if we were using user-specified offset/limit. Granted a very small number of people run postgres/sqlite compared to mysql, and presumably a smaller number still allow the user to specify limit/offset, but it seems this could affect somebody, and would be quite serious for them if they were targeted.

Anyway, I'd be happy to backport it, will report back with a patch.
Jon Leighton September 4th, 2008 @ 05:58 PM
Patches for 2-0-stable and 1-2-stable attached.
- offset_limit_fix_backport_1-2-stable.diff 3.6 KB
- offset_limit_fix_backport_2-0-stable.diff 3.5 KB
Frederick Cheung December 12th, 2008 @ 02:01 PM
- Tag changed from “2.0-stable, activerecord, bug” to “2.0-stable, activerecord, bug, patch, tested”
- State changed from “open” to “resolved”
This was part of 2.0.5 commit