From 6972cc94fa924c48c929bb2e1f44aab5fb2416fc Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 25 Feb 2021 17:15:16 +0100 Subject: [PATCH 1/2] Fix SQL escaping when adding VT references When adding VT references, the type has to be escaped in case it contains single quote marks. (cherry picked from commit 739949db7ee6f267a6ee898f938260f51cdd8c65) --- src/manage_sql_nvts.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c index 79a5aa049..94787b239 100644 --- a/src/manage_sql_nvts.c +++ b/src/manage_sql_nvts.c @@ -329,16 +329,18 @@ insert_nvt (const nvti_t *nvti) for (i = 0; i < nvti_vtref_len (nvti); i++) { vtref_t *ref; - gchar *quoted_id, *quoted_text; + gchar *quoted_type, *quoted_id, *quoted_text; ref = nvti_vtref (nvti, i); + quoted_type = sql_quote (vtref_type (ref)); quoted_id = sql_quote (vtref_id (ref)); quoted_text = sql_quote (vtref_text (ref) ? vtref_text (ref) : ""); sql ("INSERT into vt_refs (vt_oid, type, ref_id, ref_text)" " VALUES ('%s', '%s', '%s', '%s');", - nvti_oid (nvti), vtref_type (ref), quoted_id, quoted_text); + nvti_oid (nvti), quoted_type, quoted_id, quoted_text); + g_free (quoted_type); g_free (quoted_id); g_free (quoted_text); } From 2253aafa5dcf8e7db0d4454302be9d7063ce5e0b Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 25 Feb 2021 17:31:00 +0100 Subject: [PATCH 2/2] Add CHANGELOG entry for VT refs escaping fix (cherry picked from commit c7a8e834184d6295daef286edb642fccd45e5158) --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad95c7089..fbefc76ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,6 +59,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Fixed - Also create owner WITH clause for single resources [#1406](https://github.com/greenbone/gvmd/pull/1406) +- Fix SQL escaping when adding VT references [#1429](https://github.com/greenbone/gvmd/pull/1429) ### Removed