PostgreSQL vulnerability

CP
-- 
Chris Paul                                       
Sentinare Messaging Solutions
106 Maywood Drive, Boulder Creek, CA 95006
web: http://www.sentinare.com
phone: +1 (877) 727-9786
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Paul wrote:
> Apparently this new PostgreSQL security vulnerability
will require some
> changes to some apps. It also appears that upgrading
may cause problems
> for some applications.
> 
> According to the "Technical Information" at
> http://www
.postgresql.org/docs/techdocs.52, "The widely-used
practice of
> escaping ASCII single quote "'" by turning
it into "\'" is unsafe when
> operating in multibyte encodings that allow 0x5c (ASCII
code for
> backslash) as the trailing byte of a multibyte
character; this includes
> at least SJIS, BIG5, GBK, GB18030, and UHC."
> 
> Robert, David, any comments regarding this new
vulnerability in regards
> to Maia?

My first reaction is:  This is exactly why we never do any
sql calls without
placeholders and prepared queries.  It leaves it up to the
database library to
do the variable substitution, which is supposed to eliminate
sql injection
attacks.

Some people have occasionally suggested code that didn't
use placeholders and
been met with a stinging rebuke.  This is why. ;)

Having said that, it would be prudent to investigate things
and make sure that
1) we didn't slip and let user data through like this, and
2) are the various
database libs secured against this?

- --
David Morton
Maia Mailguard                        - http://www.maiamailguard
.com
Morton Software Design and Consulting - http://www.dgrmm.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEc7uoSIxC85HZHLMRAisCAKCIrisT6egFs76unfwRJwL0v5LtYQCe
Iwim
FLt7INK0IHm4upSi8gvxtuk=
=Lsh0
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Paul wrote:
> Robert, David, any comments regarding this new
vulnerability in regards
> to Maia?

And continuing that thought, it says this further down in
the bulletin:

 There are a number of mitigating factors that may keep
particular applications
from being subject to these security risks:

    * If application always sends untrusted strings as
out-of-line parameters,
instead of embedding them into SQL commands, it is not
vulnerable.

Exactly what placeholders are supposed to do. 

- --
David Morton
Maia Mailguard                        - http://www.maiamailguard
.com
Morton Software Design and Consulting - http://www.dgrmm.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEc7xbSIxC85HZHLMRAoryAJ4821/nCgYW3tKF3L0HhWtg6FCxXQCf
bq+M
uHTBemlsJVu/JaXN0T2Rsbk=
=DWGm
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

David Morton wrote:
> Some people have occasionally suggested code that
didn't use placeholders and
> been met with a stinging rebuke.  This is why. ;)
>
>   
Wonderful! Keep up the stinging rebukes!

CP
-- 
Chris Paul                                       
Sentinare Messaging Solutions
106 Maywood Drive, Boulder Creek, CA 95006
web: http://www.sentinare.com
phone: +1 (877) 727-9786

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

PostgreSQL vulnerability

Thread: PostgreSQL vulnerability