kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2026-06-30 12:10:12 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
22
asterisk/cel
T
History
Milan Kyselica 97f0aac7df cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection 
The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m
2026-06-25 08:22:20 -06:00
..
cel_beanstalkd.c
cel_custom.c
CDR/CEL Custom Performance Improvements
2026-03-02 16:43:24 +00:00
cel_manager.c
cel: Add missing manager documentation.
2025-12-29 18:37:29 +00:00
cel_odbc.c
odbc: Don't use prepared statements for distinct SQL statements
2026-06-01 16:10:26 +00:00
cel_pgsql.c
cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
2026-06-25 08:22:20 -06:00
cel_radius.c
cel_sqlite3_custom.c
CDR/CEL Custom Performance Improvements
2026-03-02 16:43:24 +00:00
cel_tds.c
cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
2026-06-25 08:22:20 -06:00
Makefile