Commit e768943
Escape double quotes in sp_LogHunter @custom_message
The #search.command computed column builds an xp_readerrorlog call
with the search string wrapped in double quotes:
EXECUTE master.dbo.xp_readerrorlog [log], 1, "<search>", " ", ...
@custom_message is concatenated straight into the "<search>" slot
without escaping, so a literal " in the user-supplied message closes
the first argument early. The rest of the @custom_message gets parsed
as T-SQL and sp_executesql raises "Incorrect syntax near '+'" or a
similar message. Verified by calling with @custom_message = N'hello"+injection'.
Doubled the quote on the way in: REPLACE(@custom_message, N'"', N'""').
xp_readerrorlog accepts the doubled quote as a literal inside the
search string. Normal strings (no quotes) behave the same as before.
Verified against the QsCleanupTest disk-full message lookup with
@custom_message = N'Microsoft'.
Note: this is not a privilege-escalation vector — xp_readerrorlog
already requires securityadmin-level access — but cryptic syntax
errors from a valid-looking input are a real operator footgun.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent ca2dbd8 commit e768943
1 file changed
Lines changed: 7 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
491 | 491 | | |
492 | 492 | | |
493 | 493 | | |
494 | | - | |
| 494 | + | |
| 495 | + | |
| 496 | + | |
| 497 | + | |
| 498 | + | |
| 499 | + | |
| 500 | + | |
495 | 501 | | |
496 | 502 | | |
497 | 503 | | |
| |||
0 commit comments