[jira] Commented: (CONNECTORS-128) ManifoldCF should be armored against any possibility of SQL injection

Thu, 16 Dec 2010 01:18:30 -0800 

    [ 
https://issues.apache.org/jira/browse/CONNECTORS-128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12972013#action_12972013
 ] 

Karl Wright commented on CONNECTORS-128:
----------------------------------------

r1049834 covers the added tests for the changes to the framework.



> ManifoldCF should be armored against any possibility of SQL injection
> ---------------------------------------------------------------------
>
>                 Key: CONNECTORS-128
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-128
>             Project: ManifoldCF
>          Issue Type: Bug
>          Components: Documentum connector, FileNet connector, Framework 
> agents process, Framework core
>    Affects Versions: ManifoldCF 0.1
>            Reporter: Karl Wright
>
> ManifoldCF uses SQL.  Quoted string fields in SQL might be unsafe because it 
> might be possible to override the intended statement with stuff from the 
> parameter.  A method in the SQL abstraction layer called quoteSQLString() is 
> supposed to safely quote a SQL string to avoid any possibility of this 
> occurring, but PostgreSQL is configurable in how it handles quotes, and if 
> the wrong setting is selected, quoteSQLString() becomes vulnerable.
> Rather than make quoteSQLString() work properly, or using it solely in 
> conjunction with constant values (as is currently the case), it has been 
> decided that the very existence of this method is a security risk, and thus 
> the method and all uses must be removed.  The reasoning behind this is that 
> quoting of strings is inherently unsafe because quoting methods cannot be 
> made to be correct.  (This claim is not accepted by everyone, for what it is 
> worth).
> This is unfortunate because several connectors (Documentum and FileNet 
> specifically) use APIs that require the use of SQL-like languages, which may 
> potentially be converted into SQL by the (opaque) API software, but do not 
> have the ability to support parameterized queries.  If the reasoning is 
> correct it would indicate that all uses of these client APIs is vulnerable to 
> SQL injection.  Taken to conclusion, a valid recourse might be removal of the 
> FileNet and Documentum connector software as well.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to