/app/models/concerns/hostext/search.rb - Diff - Foreman

« Previous | Next »

Revision b08ec33d

fixes #12458 - escape values in fact searches to prevent SQL injection

           def search_cast_facts(key, operator, value)
+            {
               :conditions => "fact_names.name = '#{key.split('.')[1]}' AND #{cast_facts(key,operator,value)}",
               :conditions => "#{sanitize_sql_for_conditions(["fact_names.name = ?", key.split('.')[1]])} AND #{cast_facts(key,operator,value)}",
               :include    => :fact_names,
+            }
           end

Also available in: Unified diff