Hi! Sorry, too, for the delay in repsonse....
> On 11 Feb 2018, at 16:49 , Peter Rabbitson <rabbit+d...@rabbit.us> wrote: > > Yes, this is a legitimate problem, thank you for finding and reporting it! ( > although in the future please consider contacting an author directly in > private when a potential vulnerability has been identified - doing so > publicly is somewhat suboptimal ) I know, I was not sure how to report or ask about this. In this case I didn't see it like a bug/security problem in DBIx::Class itself - it's a) me passing on arbitrary data structures from users without checking and b) SQL::Abstract doing unexpected things. I thought if I had been aware I'd have taken more care, and that way more people would be aware, too. But I'll report things like that privately in the future. > > A solid fix for all of the above ( and potentially similar issues ) would be > to augment the already-existing injection guard [2] to explicitly look for > > qr/ \b (?: SELECT | UPDATE | DELETE | INSERT ) \b /ix Great, thanks! > I suspect this should go into the default set shipped with SQL::Abstract [3] > , but have not yet done any testing / analysis of how much impact this would > have. > > As a first step I'd recommend you contact the mojolicious people with this > workaround, as they currently seem to be the primary driver behind SQLA > things. Will do, at the moment work's not leaving me much time (as you might've guessed from my response time), but there's some light on the horizon. Ciao, Heinz _______________________________________________ List: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/dbix-class IRC: irc.perl.org#dbix-class SVN: http://dev.catalyst.perl.org/repos/bast/DBIx-Class/ Searchable Archive: http://www.grokbase.com/group/dbix-class@lists.scsys.co.uk
