[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] "mtn auto select 'i:'" fails, monotone: error: sqli
|
From: |
Daniel Carosone |
|
Subject: |
Re: [Monotone-devel] "mtn auto select 'i:'" fails, monotone: error: sqlite error: 1: unrecognized token: ":" |
|
Date: |
Thu, 8 Dec 2005 03:27:52 +1100 |
|
User-agent: |
Mutt/1.4.2.1i |
On Wed, Dec 07, 2005 at 12:27:56PM +1300, Matthew Gregan wrote:
> At 2005-12-06T16:44:16-0600, Timothy Brownawell wrote:
> > $ monotone auto select 'i:'
> >
> > On Linux (under bash) this gives all revids (as it should).
> >
> > On Windows (under cmd.exe) this gives the following error:
> >
> > monotone: error: sqlite error: 1: unrecognized token: ":"
> > monotone: error: make sure database and containing directory are
> > writeable
>
> Windows doesn't strip the single quote characters before they're passed into
> main() via argv[], so monotone sees the literal string: 'i:'.
.. and happily allows an SQL injection with it. For normal users
(especially with 'db execute' and raw access to the file) this isn't
much of an issue, but it might bite web frontends or similar setups.
--
Dan.
pgpwE40ts6AYE.pgp
Description: PGP signature