[Bugs] [Bug 1319740] New: Tiering is not resistant to SQL-injection

[bugzilla at redhat.com]

https://bugzilla.redhat.com/show_bug.cgi?id=1319740

            Bug ID: 1319740
           Summary: Tiering is not resistant to SQL-injection
           Product: GlusterFS
           Version: mainline
         Component: tiering
          Keywords: Triaged
          Severity: medium
          Priority: medium
          Assignee: bugs at gluster.org
          Reporter: ndevos at redhat.com
        QA Contact: bugs at gluster.org
                CC: bugs at gluster.org, dlambrig at redhat.com,
                    josferna at redhat.com, nbalacha at redhat.com



Description of problem:
It is possible to execute SQL statements in the (server-side) tiering xlator by
constructing suitable filenames.

Version-Release number of selected component (if applicable):
all

How reproducible:
100%

Steps to Reproduce:
1. create a tiered volume
2. mount the volume
3. create a file with name like 'README; DROP TABLE GF_FILE_TB; COMMIT;'

Actual results:
The GF_FILE_TB table gets dropped from the tiering database.

Expected results:
The filename should not get interpreted as SQL, and the file should just be
created.

Additional info:
I do not think this is exploitable more than causing tiering to malfunction.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are on the CC list for the bug.
You are the assignee for the bug.