Project

General

Profile

Bug #5738

Updated by Peter Amstutz over 9 years ago

<pre> 
 $ bundle exec arv collection list --filters='[["uuid", "=", "su92l-4zz18-hll1sflwwh8ogk1"]]' --select '["writable_by"]' 
 Error: #<ActiveRecord::StatementInvalid: PG::SyntaxError: ERROR:    syntax error at or near "FROM" 
 LINE 1: SELECT     FROM "collections"    WHERE (expires_at IS NULL or ex... 
                  ^ 
 : SELECT     FROM "collections"    WHERE (expires_at IS NULL or expires_at > CURRENT_TIMESTAMP) AND ((collections.uuid = 'su92l-4zz18-hll1sflwwh8ogk1')) LIMIT 100 OFFSET 0> 
 </pre> 

 It's not obvious that this is exploitable, but the fact that we're generating an invalid SQL statement without catching the error earlier is very concerning. 

Back