possible SQL injection problem in ZPsycopgDA

Поиск
Список
Период
Сортировка
От Philipp H. v. Loewenfeld
Тема possible SQL injection problem in ZPsycopgDA
Дата
Msg-id 3c9dffa9-96ac-4391-ea98-74f8303d1929@tum.de
обсуждение исходный текст
Список psycopg
Дерево обсуждения 
Hi,
there seems to be a problem with the ZOPE database adapter ZPsycopgDA --
obviously ZPsycopgDA should replace the default function
Shared.DC.ZRDB.ConnectionConnection.sql_quote__  with a version suitable
for PostgreSQL/psycopg. By default ZOPE escapes single quotes by
doubling them which is not correct here.

--
Best regards
Philipp H. v. Loewenfeld


-------- Weitergeleitete Nachricht --------
Betreff: Re: [Security-response] SQL Injection despite dtml-sqltest
Datum: Sun, 26 Jun 2016 14:18:21 -0400
Von: Tres Seaver <tseaver@palladion.com>
An: Philipp H. v. Loewenfeld <phvl@tum.de>, security-response@zope.org

On 06/26/2016 04:27 AM, Philipp H. v. Loewenfeld wrote:

> there seems to be a problem that dtml-sqltest does not correctly
> escape single quotes in a query. Using Zope 2.13.24 I created a Z SQL
> Method (on my Z Psycopg 2 Database Connection) with one argument "tag"
> to be
>
> SELECT * FROM some_table WHERE <dtml-sqltest tag op="eq" type="nb"
> optional>;
>
>
> Calling this method with query string
> tag=XXX%00%27%7C%7CSLeeP%283%29%26%26%271 which is the encoded
> version of "XXX\x00'||SLeeP(3)&&'1" results in the query
>
> SELECT * FROM zope_news_tags_cache WHERE tag =
> 'XXX''||SLeeP(3)&&''1';
>
> And an error from the database that the query is malformed.

Thanks for the report!  The 'sqltest' and 'sqlvar' tags delegate the SQL
quoting to their connection object.  The default implementation,
'Shared.DC.ZRDB.ConnectionConnection.sql_quote__', does the escaping you
are noting here:  apostrophes (aka "single quotes") are doubled, and then
the value is wrapped in apostrophes to make an SQL string literal.

If that quoting is inappropriate for your database backend, then the
connection object provided by your DA product should override
'sql_quote__' and perform whatever quoting *is* appropriate for its backend
.

I don't believe this is a Zope security issue.  Please report it as a bug
against your DA product:  at a guess, that would be:

  https://github.com/psycopg/ZPsycopgDA


Tres.
--
===================================================================
Tres Seaver          +1 540-429-0999          tseaver@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Вложения

В списке psycopg по дате отправления:

Предыдущее
От: Jim Nasby
Дата:
Сообщение: Re: Facing error trying to pull out data from column
Следующее
От: Larry Sevilla
Дата:
Сообщение: Getting return value from .callproc