libinjection v3.7.1 released

13 Oct 2013

Version 3.7.1 of libinjection, the open source SQLi detection library, was released today, 2013-10-13. Source code is available on github. If you want to try it out, see the diagnostics pages.

This release contains an important security update and closes numerous false-negatives:

  • Fixes a buffer over-read. This went undetected due to a GCC option that (incorrectly?) disables some automated memory checkes. You can read more on this other blog post. This may cause core-dumps and other nastyness on long inputs.
  • Parses MS SQLServer [bracket] quoting for table and column names. This closes a lot of false-negatives.
  • Other improvements and fixes to reduce false-negatives.

Here's the full changelog

3.7.1 was released right after 3.7.0. This just removed some dead code.