Opened 10 years ago

Closed 9 years ago

#7809 closed defect (invalid)

SQL Escape problem in mythweb

Reported by: achew22+mythtv@… Owned by: Rob Smith
Priority: major Milestone: unknown
Component: Plugin - MythWeb Version: 0.22-fixes
Severity: medium Keywords:
Cc: Ticket locked: no

Description

In MythWeb's custom recording schedule page I tried to change a power search I changed on of my listings from "ABC World News" to "ABC('s)? World News". After hitting submit I got the dreaded (for SQL injections) "There is an error in your custom SQL query: check the manual that corresponds to your MySQL server version for the right syntax to use near 'World News' at line 1 #1064"

Version information:

MythWeb and MythTV are both from the Ubuntu 9.10 repositories so I assume MythWeb is the same version but I have no proof of that.

achew22@mythtv:~$ mythbackend --version Please include all output in bug reports. MythTV Version : 22594 MythTV Branch : branches/release-0-22-fixes Network Protocol : 50 Library API : 0.22.20091023-1 QT Version : 4.5.2 Options compiled in:

linux profile using_oss using_alsa using_pulse using_jack using_backend using_dvb using_firewire using_frontend using_glx_proc_addr_arb using_hdhomerun using_hdpvr using_iptv using_ivtv using_joystick_menu using_libfftw3 using_lirc using_mheg using_opengl_video using_opengl_vsync using_qtwebkit using_v4l using_x11 using_xrandr using_xv using_xvmc using_xvmc_vld using_xvmcw using_bindings_perl using_bindings_python using_opengl using_vdpau using_ffmpeg_threads using_libavc_5_3 using_live using_mheg


Steps to reproduce: 1) Go to mythweb 2) Go to the custom recording page ( http://127.0.0.1/tv/schedules/custom ) 3) Change the search type to a "Power search" 4) Change the title to "ABC('s)? World News" 5) Change the search phrase to "ABC World News" 6) Hit submit

Error message in full:

If you don't like the trac formating for this I put it on codepad http://codepad.org/sNEhEicp


Error: There is an error in your custom SQL query:

check the manual that corresponds to your MySQL server version for the right syntax to use near 'World News' at line 1 #1064

Backtrace Array (

[0] => Array

(

[file] => /usr/share/mythtv/mythweb/classes/Database/Query/mysql.php [line] => 85 [function] => error [class] => Database [object] => Database_mysql Object

(

[dbh] => Resource id #18 [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'World News' at line 1 #1064 [err] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'World News' at line 1 [errno] => 1064 [last_sh] => Database_Query_mysql Object

(

[dbh] => Resource id #18 [query] => Array

(

[0] => SELECT NULL FROM program, channel WHERE ABC World News

)

[last_query] => SELECT NULL FROM program, channel WHERE ABC World News [warnings] => Array

( )

[num_args_needed] => 0 [num_rows] => [affected_rows] => -1 [insert_id] => 0 [db] => Database_mysql Object

*RECURSION*

[sh] =>

)

[fatal_errors] => [query_count] => 22 [query_time] => 0.00631213188171 [global_name] => db [destruct_handlers] => Array

(

[0] => Array

(

[f] => session_write_close [p] =>

)

)

)

[type] => -> [args] => Array

( )

)

[1] => Array

(

[file] => /usr/share/mythtv/mythweb/classes/Database.php [line] => 263 [function] => execute [class] => Database_Query_mysql [object] => Database_Query_mysql Object

(

[dbh] => Resource id #18 [query] => Array

(

[0] => SELECT NULL FROM program, channel WHERE ABC World News

)

[last_query] => SELECT NULL FROM program, channel WHERE ABC World News [warnings] => Array

( )

[num_args_needed] => 0 [num_rows] => [affected_rows] => -1 [insert_id] => 0 [db] => Database_mysql Object

(

[dbh] => Resource id #18 [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'World News' at line 1 #1064 [err] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'World News' at line 1 [errno] => 1064 [last_sh] => Database_Query_mysql Object

*RECURSION*

[fatal_errors] => [query_count] => 22 [query_time] => 0.00631213188171 [global_name] => db [destruct_handlers] => Array

(

[0] => Array

(

[f] => session_write_close [p] =>

)

)

)

[sh] =>

)

[type] => -> [args] => Array

(

[0] => Array

( )

)

)

[2] => Array

(

[file] => /usr/share/mythtv/mythweb/modules/tv/schedules_custom.php [line] => 131 [function] => query [class] => Database [object] => Database_mysql Object

(

[dbh] => Resource id #18 [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'World News' at line 1 #1064 [err] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'World News' at line 1 [errno] => 1064 [last_sh] => Database_Query_mysql Object

(

[dbh] => Resource id #18 [query] => Array

(

[0] => SELECT NULL FROM program, channel WHERE ABC World News

)

[last_query] => SELECT NULL FROM program, channel WHERE ABC World News [warnings] => Array

( )

[num_args_needed] => 0 [num_rows] => [affected_rows] => -1 [insert_id] => 0 [db] => Database_mysql Object

*RECURSION*

[sh] =>

)

[fatal_errors] => [query_count] => 22 [query_time] => 0.00631213188171 [global_name] => db [destruct_handlers] => Array

(

[0] => Array

(

[f] => session_write_close [p] =>

)

)

)

[type] => -> [args] => Array

(

[0] => SELECT NULL FROM program, channel WHERE ABC World News

)

)

[3] => Array

(

[file] => /usr/share/mythtv/mythweb/modules/tv/schedules.php [line] => 18 [args] => Array

(

[0] => /usr/share/mythtv/mythweb/modules/tv/schedules_custom.php

)

[function] => require_once

)

[4] => Array

(

[file] => /usr/share/mythtv/mythweb/modules/tv/handler.php [line] => 87 [args] => Array

(

[0] => /usr/share/mythtv/mythweb/modules/tv/schedules.php

)

[function] => require_once

)

[5] => Array

(

[file] => /usr/share/mythtv/mythweb/mythweb.php [line] => 35 [args] => Array

(

[0] => /usr/share/mythtv/mythweb/modules/tv/handler.php

)

[function] => require_once

)

)

Change History (3)

comment:1 Changed 9 years ago by cadams

What you needed to put there was

title='ABC\'s World News'

In a power search that field is for handwritten content for a WHERE clause off the program and channel tables. This is one case where you WANT to pass quotes to the database.

It has potential for abuse: you (or a black-hat from the tubes) can write a lovely rule to match every program in the EPG which would probably bring the scheduler to its knees or crash your backend.

However before running the where clause it removes semicolons and secondary queries from the text. It seems pretty toothless to me (IANA SQL guru) - it will strip out stuff like this

;delete from recorded

This ticket looks invalid to me.

comment:2 Changed 9 years ago by achew22+mythtv@…

With that knowledge this ticket does appear to be invalid. If you could please flag it as such to help the bug stats. Thank you.

comment:3 Changed 9 years ago by robertm

Resolution: invalid
Status: newclosed

Thanks for following up, guys.

Note: See TracTickets for help on using tickets.