Embedded Files
Cause: QN-UnQ
- Evidence: "If the field being passed to match() is ID_FIELD, then this field is safe, and there is no need to validate it", comment 6
Fix: BQ
- Bypass the query under some conditions
Interesting Finding:
- Performance may not be as important as security
- "No, definitely not, this regresses a major security fix--a severe SQL injection in the WebService."
- Different developer may have different levels of acceptable performance
- "you're talking about the difference between 144ms and 110ms, a totally insignificant number to a Bugzilla user"
- "One single change is probably not going to make Bugzilla much faster. But the addition of several fixes is"
Page updated
Google Sites
Report abuse