Summary
Legacy batch transfer/removal path builds SQL with direct concatenation of removal rule text.
Evidence
functions.php in syslog_manage_items():
message LIKE '%" . $remove['message'] . "%' (e.g. lines around 956/965)WHERE message (" . $remove['message'] . ") for type='sql' (around 981/984)
Invoked by syslog_batch_transfer.php:127.
Risk
Rule text can alter query semantics in this path, causing unintended mass select/delete/transfer behavior.
Expected fix
- Replace concatenated clauses with prepared statements / safe quoting in every branch
- Prefer reusing the newer prepared-query logic used by active processing path
- Consider deprecating/removing the legacy script if not required
Summary
Legacy batch transfer/removal path builds SQL with direct concatenation of removal rule text.
Evidence
functions.phpinsyslog_manage_items():message LIKE '%" . $remove['message'] . "%'(e.g. lines around 956/965)WHERE message (" . $remove['message'] . ")fortype='sql'(around 981/984)Invoked by
syslog_batch_transfer.php:127.Risk
Rule text can alter query semantics in this path, causing unintended mass select/delete/transfer behavior.
Expected fix