Skip Menu |

This queue is for tickets about the SQL-Abstract-Limit CPAN distribution.

Report information
The Basics
Id: 99347
Status: new
Priority: 0/
Queue: SQL-Abstract-Limit

Owner: Nobody in particular
Requestors: VADZ [...]

Bug Information
Severity: (no value)
Broken in: 0.141
Fixed in: (no value)

Subject: Incorrect offset parameter parsing when offset overflows int range limit
Consider the following code: # get $page_size and $page parameters from an HTTP request somehow. my $sql = SQL::Abstract::Limit->new(limit_dialect => $dbh); my $q = $sql->select("t", "f", undef, undef, $page_size, ($page-1)*$page_size); This looks perfectly reasonable but results in a broken query being generated if ($page-1)*$page_size overflows the range of int (e.g. "rows=2&page=2222222222222222222222222" in the query string) as it's then represented in exponential notation by Perl ("4.44444444444445e+25" in this example) and _get_args() doesn't recognize it as offset any more because it tests for "/^\d+$/" only, and interprets it as the syntax value, which is then, of course, not recognized and a completely invalid query is generated. While this doesn't seem to be immediately exploitable, it would still be better to handle this in some more reasonable way and just take anything specified as offset as being offset instead of interpreting it as syntax. And unknown syntaxes should be detected and rejected instead of silently generating wrong queries, IMO.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to