| From: | Barry Lind <blind(at)xythos(dot)com> |
|---|---|
| To: | "'pgsql-jdbc(at)postgresql(dot)org'" <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
| Date: | 2003-08-07 22:00:33 |
| Message-ID: | 3F32CC01.4030900@xythos.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
I have commited a change that completely removes the ability to pass
anything other than a numeric value when using the setObject() calls for
types that claim to be numeric. As Dmitry has pointed out any desire to
maintain the support for allowing "where ... in (?)" and being able to
pass a list of values for that single bind variable if flawed. So the
latest patch completely closes the sql injection vulnerability by
preventing this not standard behavior.
thanks,
--Barry
Dmitry Tkach wrote:
>
> Ok... What about:
> select * from users where id in ?
> setObject (1, "(select setval ('users_id_seq', 1)"); //to screw up the
> PK sequence
>
> or...
>
> setObject (1, "(1) or true"); //to get a list of all the users and
> passwords
>
> or...
>
> setObject (1, "(1) union all select * from secret_table");
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jesus Sandoval | 2003-08-08 00:59:25 | Re: Server side resultset search (for performance reasons) |
| Previous Message | Barry Lind | 2003-08-07 21:30:43 | Re: executeQuery |