Sorry, too, for the delay in repsonse....
> On 11 Feb 2018, at 16:49 , Peter Rabbitson <rabbit+d...@rabbit.us> wrote:
> Yes, this is a legitimate problem, thank you for finding and reporting it! (
> although in the future please consider contacting an author directly in
> private when a potential vulnerability has been identified - doing so
> publicly is somewhat suboptimal )
I know, I was not sure how to report or ask about this. In this case I didn't
see it like a bug/security problem in DBIx::Class itself - it's a) me passing
on arbitrary data structures from users without checking and b) SQL::Abstract
doing unexpected things. I thought if I had been aware I'd have taken more
care, and that way more people would be aware, too. But I'll report things like
that privately in the future.
> A solid fix for all of the above ( and potentially similar issues ) would be
> to augment the already-existing injection guard  to explicitly look for
> qr/ \b (?: SELECT | UPDATE | DELETE | INSERT ) \b /ix
> I suspect this should go into the default set shipped with SQL::Abstract 
> , but have not yet done any testing / analysis of how much impact this would
> As a first step I'd recommend you contact the mojolicious people with this
> workaround, as they currently seem to be the primary driver behind SQLA
Will do, at the moment work's not leaving me much time (as you might've guessed
from my response time), but there's some light on the horizon.
Searchable Archive: http://email@example.com