On Sun, Apr 06, 2025 at 10:37:49AM +0200, Hanno Böck wrote: > On Fri, 04 Apr 2025 18:54:21 +0000 Elad Kalif <elad...@apache.org> wrote: > > > https://github.com/apache/airflow/pull/48098 > > If I read this code correctly, the only thing this PR changes is to > reject inputs with an ";" character. > I am not familiar with the codebase, and also by no means an expert in > SQL injections. But I am pretty sure there are ways to exploit SQL > injections that do not involve a ";" character. > > Can anyone familiar with the issue check that this is indeed a proper > fix?
Elad doesn't appear to be subscribed (as is usual and normal for reports by Apache projects), so I am CC'ing him here. The fix does indeed look weird to me as well, but I am not familiar with the codebase, nor with the issue. Alexander
