Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-25923

Missing group name escaping in UpgradeGroup.java

    Details

      Description

      In the method updateName() of the UpgradeGroup class, the group name is not escaped before running the SQL update query. Thus, the query fails when names contain a single quote (').

      Here is the offending code :
      String name = rs.getString("name");

      runSQL(
      "update Group_ set name = '" + classPK +
      _ORGANIZATION_NAME_DELIMETER + name +
      "' where groupId = " + groupId);

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  7 years, 17 weeks, 1 day ago

                  Packages

                  Version Package
                  6.1.10 EE GA1
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2