Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-25923

Missing group name escaping in UpgradeGroup.java

    Details

      Description

      In the method updateName() of the UpgradeGroup class, the group name is not escaped before running the SQL update query. Thus, the query fails when names contain a single quote (').

      Here is the offending code :
      String name = rs.getString("name");

      runSQL(
      "update Group_ set name = '" + classPK +
      _ORGANIZATION_NAME_DELIMETER + name +
      "' where groupId = " + groupId);

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              luyang.tan Luyang Tan (Inactive)
              Reporter:
              nanu Emmanuel Guiton (Inactive)
              Participants of an Issue:
              Recent user:
              Marta Elicegui
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                9 years, 18 weeks, 4 days ago

                  Packages

                  Version Package
                  6.1.10 EE GA1
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2